fix: View expanded svg images from <img> tags to avoid js attacks (#1429)

* Fix #1377

* feat: expand images in `<img>` tag to avoid javascript attacks

* Embed in img tags svg only

* Remove canonical url display from directory listing for svg

* Add test

* Remove unused Media class

* Change function of canonical url button

* Remove superflous `} `

* Update NL locale

Author: fsbraun

CHANGELOG.rst

@@ -2,11 +2,13 @@
 CHANGELOG
 =========
 
-unreleased
-==========
+3.1.0 (2023-10-01)
+==================
 
 * feat: limit uploaded image area (width x height) to prevent decompression
   bombs
+* feat: Canonical URL action button now copies canonical URL to the user's
+  clipboard
 * fix: Run validators on updated files in file change view
 * fix: Update mime type if uploading file in file change view
 * fix: Do not allow to remove the file field from an uplaoded file in

filer/__init__.py

@@ -13,4 +13,4 @@
  8. Publish the release and it will automatically release to pypi
 """
 
-__version__ = '3.0.6'
+__version__ = '3.1.0'

filer/admin/imageadmin.py

@@ -1,4 +1,6 @@
 from django import forms
+from django.shortcuts import get_object_or_404, render
+from django.urls import path
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy
 
@@ -80,19 +82,24 @@ class Meta:
         model = Image
         exclude = ()
 
-    class Media:
-        css = {
-            # 'all': (settings.MEDIA_URL + 'filer/css/focal_point.css',)
-        }
-        js = (
-
-        )
-
 
 class ImageAdmin(FileAdmin):
     change_form_template = 'admin/filer/image/change_form.html'
     form = ImageAdminForm
 
+    def get_urls(self):
+        return super().get_urls() + [
+            path("expand/<int:file_id>",
+                 self.admin_site.admin_view(self.expand_view),
+                 name=f"filer_{self.model._meta.model_name}_expand_view")
+        ]
+
+    def expand_view(self, request, file_id):
+        image = get_object_or_404(self.model, pk=file_id)
+        return render(request, "admin/filer/image/expand.html", context={
+            "original_url": image.url
+        })
+
 
 if FILER_IMAGE_MODEL == 'filer.Image':
     extra_main_fields = ('author', 'default_alt_text', 'default_caption',)