Prevent front-end from uploading SVG images to avoid SVG XSS attacks. #…

…115
innocommerce · Dec 24, 2024 · 7ccc90d · 7ccc90d
1 parent f007c80
commit 7ccc90d
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/innopacks/front/src/Requests/UploadImageRequest.php b/innopacks/front/src/Requests/UploadImageRequest.php
@@ -30,8 +30,14 @@ public function authorize(): bool
      */
     public function rules(): array
     {
+        if (is_admin()) {
+            $rule = 'required|image|mimes:jpg,png,jpeg,gif,svg,webp|max:4096';
+        } else {
+            $rule = 'required|image|mimes:jpg,png,jpeg,gif,webp|max:2048';
+        }
+
         return [
-            'image' => 'required|image|mimes:jpg,png,jpeg,gif,svg,webp|max:4096',
+            'image' => $rule,
             'type'  => 'required|alpha_dash',
         ];
     }