New upstream version 0.5.1

SECURITY.md

+# Security Policy
+
+## Supported Versions
+
+Because of limited resources and general compatibility 
+between versions only the [latest release](https://github.com/dompdf/php-svg-lib/releases) of Dompdf 
+is actively supported.
+
+## Reporting a Vulnerability
+
+In order to give the community time to respond and patch 
+we strongly urge you report all security issues privately. 
+New vulnerabilities can be reported through the GitHub
+[Security Advisories](https://github.com/dompdf/php-svg-lib/security/advisories) 
+feature. If you have any questions email us at security@dompdf.org and 
+we will respond ASAP.

src/Svg/Document.php

@@ -53,6 +53,8 @@ class Document extends AbstractTag
     /** @var \Sabberworm\CSS\CSSList\Document[] */
     protected $styleSheets = array();
 
+    public $allowExternalReferences = true;
+
     public function loadFile($filename)
     {
         $this->filename = $filename;

src/Svg/Style.php

@@ -139,6 +139,16 @@ class Style
                         break;
                     }
                 }
+
+                if (
+                    \array_key_exists("font-family", $styles)
+                    && (
+                        \strtolower(\substr($this->href, 0, 7)) === "phar://"
+                        || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
+                    )
+                ) {
+                    unset($style["font-family"]);
+                }
             }
         }
 

src/Svg/Tag/Image.php

@@ -58,6 +58,10 @@ class Image extends AbstractTag
 
         $this->document->getSurface()->transform(1, 0, 0, -1, 0, $height);
 
+        if (\strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) {
+            return;
+        }
+
         $this->document->getSurface()->drawImage($this->href, $this->x, $this->y, $this->width, $this->height);
     }
 

src/Svg/Tag/UseTag.php

@@ -14,12 +14,19 @@ class UseTag extends AbstractTag
     protected $y = 0;
     protected $width;
     protected $height;
+    protected $instances = 0;
 
     /** @var AbstractTag */
     protected $reference;
 
     protected function before($attributes)
     {
+        $this->instances++;
+        if ($this->instances > 1) {
+            //TODO: log circular reference error state
+            return;
+        }
+
         if (isset($attributes['x'])) {
             $this->x = $attributes['x'];
         }
@@ -52,6 +59,9 @@ class UseTag extends AbstractTag
     }
 
     protected function after() {
+        if ($this->instances > 0) {
+            return;
+        }
         parent::after();
 
         if ($this->reference) {
@@ -63,6 +73,11 @@ class UseTag extends AbstractTag
 
     public function handle($attributes)
     {
+        if ($this->instances > 1) {
+            //TODO: log circular reference error state
+            return;
+        }
+
         parent::handle($attributes);
 
         if (!$this->reference) {
@@ -70,7 +85,7 @@ class UseTag extends AbstractTag
         }
 
         $mergedAttributes = $this->reference->attributes;
-        $attributesToNotMerge = ['x', 'y', 'width', 'height'];
+        $attributesToNotMerge = ['x', 'y', 'width', 'height', 'href', 'xlink:href', 'id'];
         foreach ($attributes as $attrKey => $attrVal) {
             if (!in_array($attrKey, $attributesToNotMerge) && !isset($mergedAttributes[$attrKey])) {
                 $mergedAttributes[$attrKey] = $attrVal;
@@ -87,6 +102,11 @@ class UseTag extends AbstractTag
 
     public function handleEnd()
     {
+        $this->instances--;
+        if ($this->instances > 0) {
+            return;
+        }
+
         parent::handleEnd();
 
         if (!$this->reference) {