From 81a962afa8dcf3e658730395c427e5a54612c941 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
<161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 04:29:38 +0000
Subject: [PATCH] Security: Sanitize uploaded SVGs to prevent Stored XSS
Adds the `enshrined/svg-sanitize` library to strip malicious `';
+
+ $file = UploadedFile::fake()->createWithContent('malicious.svg', $svgContent);
+
+ $upload = MediaUploader::make($file)->upload();
+
+ $this->assertTrue(Storage::disk('public')->exists($upload->getPath()));
+
+ $uploadedContent = Storage::disk('public')->get($upload->getPath());
+ $this->assertStringNotContainsString('assertDatabaseHas('media', ['id' => $upload->id]);
+ }
+}