fix: logs for testing

MiroslavDionisiev · MiroslavDionisiev · commit 7247ee7e9db2 · 2025-05-09T14:32:18.000+03:00
diff --git a/packages/scratch-svg-renderer/src/sanitize-svg.js b/packages/scratch-svg-renderer/src/sanitize-svg.js
@@ -8,15 +8,17 @@ const DOMPurify = require('isomorphic-dompurify');
 
 const sanitizeSvg = {};
 
+const isInternalRef = ref => ref.startsWith('#') || ref.startsWith('data:');
+
 DOMPurify.addHook(
     'beforeSanitizeAttributes',
     currentNode => {
 
         if (currentNode && currentNode.href && currentNode.href.baseVal) {
             const href = currentNode.href.baseVal.replace(/\s/g, '');
             // "data:" and "#" are valid hrefs
-            if ((href.slice(0, 5) !== 'data:') && (href.slice(0, 1) !== '#')) {
-
+            if (!isInternalRef(href)) {
+                // TODO: Those can be in different namespaces than `xlink:`
                 if (currentNode.attributes.getNamedItem('xlink:href')) {
                     currentNode.attributes.removeNamedItem('xlink:href');
                     delete currentNode['xlink:href'];
@@ -27,6 +29,24 @@ DOMPurify.addHook(
                 }
             }
         }
+
+        // Remove url(...) usages with external references
+        if (currentNode && currentNode.attributes) {
+            for (let i = currentNode.attributes.length - 1; i >= 0; i--) {
+                const attr = currentNode.attributes[i];
+                const rawValue = attr.value || '';
+                const value = rawValue.toLowerCase().replace(/\s/g, '');
+        
+                const urlMatch = value.match(/url\((.+?)\)/);
+                if (urlMatch) {
+                    const ref = urlMatch[1].replace(/['"]/g, '');
+                    if (!isInternalRef(ref)) {
+                        currentNode.removeAttribute(attr.name);
+                    }
+                }
+            }
+        }
+    
         return currentNode;
     }
 );
@@ -37,13 +57,34 @@ DOMPurify.addHook(
         if (data.tagName === 'style') {
             const ast = parse(node.textContent);
             let isModified = false;
-            // Remove any @import rules as it could leak HTTP requests
+
             walk(ast, (astNode, item, list) => {
-                if (astNode.type === 'Atrule' && astNode.name === 'import') {
+                // @import rules
+                if (astNode.type === 'Atrule' && astNode.name.toLowerCase() === 'import') {
                     list.remove(item);
                     isModified = true;
                 }
+                
+                // Elements using url(...) for external resources
+                if (astNode.type === 'Declaration' && astNode.value) {
+                    let shouldRemove = false;
+                    walk(astNode.value, valueNode => {
+                        if (valueNode.type === 'Url') {
+                            const urlValue = (valueNode.value.value || '').trim().replace(/['"]/g, '');
+    
+                            if (!isInternalRef(urlValue)) {
+                                shouldRemove = true;
+                            }
+                        }
+                    });
+
+                    if (shouldRemove) {
+                        list.remove(item);
+                        isModified = true;
+                    }
+                }
             });
+
             if (isModified) {
                 node.textContent = generate(ast);
             }
diff --git a/packages/scratch-vm/src/import/load-costume.js b/packages/scratch-vm/src/import/load-costume.js
@@ -356,6 +356,8 @@ const loadCostumeFromAsset = function (costume, runtime, optVersion) {
  * @returns {?Promise} - a promise which will resolve after skinId is set, or null on error.
  */
 const loadCostume = function (md5ext, costume, runtime, optVersion) {
+    console.log('CCCCCCCCCCCCCCCCCCCCCCCCCCCC');
+    console.log(md5ext);
     const idParts = StringUtil.splitFirst(md5ext, '.');
     const md5 = idParts[0];
     const ext = idParts[1].toLowerCase();
@@ -394,6 +396,8 @@ const loadCostume = function (md5ext, costume, runtime, optVersion) {
             if (assetArray[0]) {
                 costume.asset = assetArray[0];
             } else {
+                console.log('BBBBBBBBBBBBBBBBBBBBBBBBBBB');
+                console.log(md5ext);
                 return handleCostumeLoadError(costume, runtime);
             }
 
@@ -405,6 +409,8 @@ const loadCostume = function (md5ext, costume, runtime, optVersion) {
         .catch(error => {
             // Handle case where storage.load rejects with errors
             // instead of resolving null
+            console.log('AAAAAAAAAAAAAAAAAAAAAAAA');
+            console.log(md5ext);
             log.warn('Error loading costume: ', error);
             return handleCostumeLoadError(costume, runtime);
         });
diff --git a/packages/scratch-vm/src/serialization/sb2.js b/packages/scratch-vm/src/serialization/sb2.js
@@ -452,6 +452,10 @@ const parseScratchAssets = function (object, runtime, topLevel, zip) {
             if (costumeSource.textLayerMD5) {
                 costume.textLayerMD5 = StringUtil.splitFirst(costumeSource.textLayerMD5, '.')[0];
             }
+            console.log('////////////////////////////');
+            console.log('sb2: old md5');
+            console.log(costume.md5);
+            console.log('////////////////////////////');
             // If there is no internet connection, or if the asset is not in storage
             // for some reason, and we are doing a local .sb2 import, (e.g. zip is provided)
             // the file name of the costume should be the baseLayerID followed by the file ext
diff --git a/packages/scratch-vm/src/serialization/sb3.js b/packages/scratch-vm/src/serialization/sb3.js
@@ -894,13 +894,17 @@ const parseScratchAssets = function (object, runtime, zip) {
             costumeSource.md5ext : `${costumeSource.assetId}.${dataFormat}`;
         costume.md5 = costumeMd5Ext;
         costume.dataFormat = dataFormat;
+        console.log('////////////////////////////');
+        console.log('sb3: old md5');
+        console.log(costumeMd5Ext);
+        console.log('////////////////////////////');
         // deserializeCostume should be called on the costume object we're
         // creating above instead of the source costume object, because this way
         // we're always loading the 'sb3' representation of the costume
         // any translation that needs to happen will happen in the process
         // of building up the costume object into an sb3 format
         return deserializeCostume(costume, runtime, zip)
-            .then(() => loadCostume(costumeMd5Ext, costume, runtime));
+            .then(() => loadCostume(costume.md5, costume, runtime));
         // Only attempt to load the costume after the deserialization
         // process has been completed
     });
