New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.3] Media Manager SVG File #38068
Comments
There is indeed some need for information and documentation. Maybe we can add information for cassiopeia? |
The problem is that there is a bug and the correct error message is not being displayed. |
would a PR be possible? |
Indeed, there is a problem with SVGs here. Even when the allowed types and mime types are set correctly in the media manager's global configuration (like stated in the previous comment by @N6REJ), it is impossible to add SVGs to the Media manager (via uploads or drag-and-drop). Once the files are added to the images folder via FTP, for instance, the files are visible (without a preview, which is expected for now) and selectable in the article manager or Cassiopeia. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38068. |
@Quy can you tackle this? |
@obuisard: Thanks for your intervention |
@obuisard that is not my experience as shown in this video https://www.youtube.com/watch?v=U7hHYpuNqsg&ab_channel=LearnJoomla4 |
Thank you, Brian @brianteeman. It confirms that it used to work under Joomla 4.0.4. But my tests under Joomla 4.1.5 and 4.2.0 are failing. |
I am doing more testing on this. In Joomla 4.0.4, SVG files can be uploaded EXCEPT if the files start with an XML comment. Once the comment has been removed or moved inside the svg tag, it can be uploaded. This kind of comment is usually added by generators of SVG files. In Joomla 4.1.5, no file can be uploaded unless they are 'simple' XML files (containing the svg tag and the optional xml declaration). The ones containing additional namespaces or DOCTYPE cannot be uploaded. So, I see regression. |
Sounds like a issue with the security SVG filter |
We need to document what is a clean SVG and why some SVG files may be denied upload. SVG files need to be sanitized to avoid all kinds of security issues (cross-site scripting, HTML injections, denial of service - basically any possible attack related to XML documents). Some users may not be aware of it. |
Its more than that. The svg files used to test the filters when they were added do not work either |
you need to roll back to when it worked and then see what has changed. I have my suspicions but its too late and I had too many beer to try |
Yes @brianteeman, thank you! |
The major difference I see is that in 4.0 the content of the files was scanned for specific html/xml tags. In more recent versions, a sanitizer is used instead (from vendor 'enshrined'). It's the same one used in Nicholas K. Dionysopoulos's plugin for Joomla 3 (https://github.com/nikosdion/joomlasvg). The new sanitizer checks the SVG files and returns a clean version or false (the file could not be parsed). The sanitizer reports what issues have been addressed during sanitization. We use it in 4.2, for instance, to see if there are issues with the file. Based on my review of the MediaHelper code in 4.2,
should be
However, we do need to use the cleaned file if we do so. So the question here is: Another issue involves the error messages from the MediaHelper never showing because all is caught is JLIB_MEDIA_ERROR_UPLOAD_INPUT when returning from the LocalAdapter's canUpload function. |
I am going to write a PR that fixes the messaging that appears when the upload fails. |
I have added better messenging, Please test #38536 |
For joomla 4.2.4 I was not able to upload any svg image even with all settings for the media manager Allowed extensions: svg Any progress on this issue? |
For joomla 4.3.2 it is the same. Allowed extensions: svg Had to upload the files via sftp, the media manager blocks any attempt. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38068. |
This can still happen. SVG files are checked upon upload and if there is anything in the file that is considered harmful, the file will be rejected. You need to make sure the SVG file has been sanitized before use. |
I have create the svg with inkscape, I have assumed, it would already be sanitized. |
Actually, no. |
I tested a SVGOMG optimized file and it worked. Instead of this message: "File cannot be uploaded." Some hint would be really helpful, otherwise there will be a lot more users like me who stumble across this problem and then open completely unnecessary new tickets. Regardless, thanks again and a thumbs up from me as well for the answers. |
Please test PR #38536. |
Yes, please test, it will help getting it included in the 4.3.4 release next month. Thank you! |
closing as we have pr #38536 |
Steps to reproduce the issue
Upload svg file as logo in cassiopeia.
A message appears: An error has occurred.
Expected result
Solution: Under Media you have to allow svg in several places
file types; image/svg+xml
Valid image file extensions: svg
Allowed extensions: svg
Actual result
If you do not enter all types (see above). A message appears: An error has occurred.
Additional comments
Feature Rquest: Wouldn't it make sense to offer such information directly where the problem can occur?
Eg by displaying a small question mark icon and behind it the information that you first have to set e.g. svg "on" at this point or that.
Thank you.
The text was updated successfully, but these errors were encountered: