From 7ccc90d2b549e14460efc4f758b01adbd080e7ff Mon Sep 17 00:00:00 2001
From: Edward Yang <edward@innoshop.com>
Date: Tue, 24 Dec 2024 15:52:00 +0800
Subject: [PATCH] Prevent front-end from uploading SVG images to avoid SVG XSS
 attacks. https://github.com/innocommerce/innoshop/issues/115

---
 innopacks/front/src/Requests/UploadImageRequest.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/innopacks/front/src/Requests/UploadImageRequest.php b/innopacks/front/src/Requests/UploadImageRequest.php
index f00c7edc..2b01235a 100755
--- a/innopacks/front/src/Requests/UploadImageRequest.php
+++ b/innopacks/front/src/Requests/UploadImageRequest.php
@@ -30,8 +30,14 @@ public function authorize(): bool
      */
     public function rules(): array
     {
+        if (is_admin()) {
+            $rule = 'required|image|mimes:jpg,png,jpeg,gif,svg,webp|max:4096';
+        } else {
+            $rule = 'required|image|mimes:jpg,png,jpeg,gif,webp|max:2048';
+        }
+
         return [
-            'image' => 'required|image|mimes:jpg,png,jpeg,gif,svg,webp|max:4096',
+            'image' => $rule,
             'type'  => 'required|alpha_dash',
         ];
     }