Limit SVG namespaces to letters (fixes #3025)

craftcms · Jun 26, 2018 · 7c760cc · 7c760cc
1 parent 414d1ed
commit 7c760cc
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG-v3.md b/CHANGELOG-v3.md
@@ -26,6 +26,7 @@
 - Fixed a bug where datepickers were getting scrollbars.
 - Fixed a bug where volumes’ field layouts weren’t getting deleted when volumes were deleted. ([#3022](https://github.com/craftcms/cms/pull/3022))
 - Fixed a bug where deleting a section or an entry type wouldn’t delete any associated entries that didn’t exist in the primary site. ([#3023](https://github.com/craftcms/cms/issues/3023))
+- Fixed a bug where the `svg()` Twig function could convert `id` attributes within the SVG contents to invalid IDs. ([#3025](https://github.com/craftcms/cms/issues/3025))
 
 ## 3.0.12 - 2018-06-18
 

diff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php
@@ -850,7 +850,7 @@ public function svgFunction($svg, bool $sanitize = true)
 
         // Namespace any IDs
         if (strpos($svg, 'id=') !== false) {
-            $namespace = StringHelper::randomString(10) . '-';
+            $namespace = StringHelper::randomStringWithChars('abcdefghijklmnopqrstuvwxyz', 10) . '-';
             $ids = [];
             $svg = preg_replace_callback('/\bid=([\'"])([^\'"]+)\\1/i', function($matches) use ($namespace, &$ids) {
                 $ids[] = $matches[2];