Permalink
Browse files

Remove SVG from image types

SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements
Refs: https://html5sec.org/#svg
Original report by: Ishaq Mohammed
  • Loading branch information...
daftspunk committed Oct 9, 2017
1 parent 7900807 commit 3bbbbf3da469f457881b5af902eb0b89b95189a2
Showing with 1 addition and 2 deletions.
  1. +1 −2 src/Filesystem/Definitions.php
@@ -182,8 +182,7 @@ protected function imageExtensions()
'bmp',
'png',
'webp',
'gif',
'svg'
'gif'
];
}

4 comments on commit 3bbbbf3

@LukeTowers

This comment has been minimized.

Show comment
Hide comment
@LukeTowers

LukeTowers Oct 19, 2017

Member

@daftspunk how about if we sanitized SVG files on upload to make them safe? https://github.com/darylldoyle/svg-sanitizer

Member

LukeTowers replied Oct 19, 2017

@daftspunk how about if we sanitized SVG files on upload to make them safe? https://github.com/darylldoyle/svg-sanitizer

@daftspunk

This comment has been minimized.

Show comment
Hide comment
@daftspunk

daftspunk Oct 19, 2017

Member

I'm not sure why this was added in the first place, so can't really comment. If SVG is truly needed, one can override the acceptable types in the form widget itself. This list defines what is considered safe and SVG is not considered safe.

Member

daftspunk replied Oct 19, 2017

I'm not sure why this was added in the first place, so can't really comment. If SVG is truly needed, one can override the acceptable types in the form widget itself. This list defines what is considered safe and SVG is not considered safe.

@datune

This comment has been minimized.

Show comment
Hide comment
@datune

datune Oct 19, 2017

Contributor

@daftspunk

Yes, we can all agree on that. However, the fact of the matter is, even though SVG is a document format, and not an image format, it still makes sense for a MEDIA-Manager to support those SVG's that do represent an image. So, while we can enable uploading SVG's, there are no previews in the media manager grid views.

I wanted to add support for this (just previews), but seeing how they will now be disabled by default, the PR I made a while back will need some changes. It's nothing complicated and will not break anything as far as I can tell.

Still, the question is, is this something you will consider? Cause if not, there is no point in me doing more work on this subject.

Contributor

datune replied Oct 19, 2017

@daftspunk

Yes, we can all agree on that. However, the fact of the matter is, even though SVG is a document format, and not an image format, it still makes sense for a MEDIA-Manager to support those SVG's that do represent an image. So, while we can enable uploading SVG's, there are no previews in the media manager grid views.

I wanted to add support for this (just previews), but seeing how they will now be disabled by default, the PR I made a while back will need some changes. It's nothing complicated and will not break anything as far as I can tell.

Still, the question is, is this something you will consider? Cause if not, there is no point in me doing more work on this subject.

Please sign in to comment.