Social Menu: Replacing SVG file inclusion method (#39136)

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/10617469718

Upstream-Ref: Automattic/jetpack@1779fe4

Author: coder-karen

composer.lock

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 This is an alpha version! The changes listed here are not final.
 
+### Security
+- Social Menu: Switch to more appropriate method of calling the SVG icon file.
+
 ### Added
 - Classic Theme Helper: Adding Portfolio custom post type content
 - Content Options: Moving content to Classic Theme Helper package.

vendor/automattic/jetpack-classic-theme-helper/CHANGELOG.md

@@ -18,7 +18,28 @@ function jetpack_social_menu_include_svg_icons() {
 		$svg_icons = __DIR__ . '/social-menu.svg';
 		// If it exists and we use the SVG menu type, include it.
 		if ( file_exists( $svg_icons ) && 'svg' === jetpack_social_menu_get_type() ) {
-			require_once $svg_icons;
+			$svg_contents = file_get_contents( $svg_icons ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents -- Only reading a local file.
+		}
+
+		if ( ! empty( $svg_contents ) ) {
+			$allowed_tags = array(
+				'svg'    => array(
+					'style'       => true,
+					'version'     => true,
+					'xmlns'       => true,
+					'xmlns:xlink' => true,
+				),
+				'defs'   => array(),
+				'symbol' => array(
+					'id'      => true,
+					'viewbox' => true,
+				),
+				'path'   => array(
+					'd'     => true,
+					'style' => true,
+				),
+			);
+			echo wp_kses( $svg_contents, $allowed_tags );
 		}
 	}
 	add_action( 'wp_footer', 'jetpack_social_menu_include_svg_icons', 9999 );