Jump to content

Direct SVG embedding limitations?


Recommended Posts

Hi,

I noticed (and confirmed here under "Test Posting" too) that auto embedding works for "smaller" SVG (or at least that is a common factor for me), for example:

https://upload.wikimedia.org/wikipedia/commons/4/42/Adobe_Acrobat_DC_logo_2020.svg
https://upload.wikimedia.org/wikipedia/commons/e/e1/Google_Chrome_icon_%28February_2022%29.svg

But "bigger" ones are not detected, for example:

https://upload.wikimedia.org/wikipedia/commons/9/98/Microsoft_Edge_logo_%282019%29.svg
https://upload.wikimedia.org/wikipedia/commons/e/e1/Thunderbird_Logo%2C_2018.svg

[If I upload them to my server under shortened name and insert as "embedded" via HTML Source they display just fine but their size can no longer be changed/adjusted via editor by double click because a template error occurs (the Default theme returns it too): [Template core/global/editor/image is throwing an error.]

 

Is there any specific limit or other reason why some SVG can't be embedded?

 

Link to comment
Share on other sites

Just to add, opening SVGs in a text editor shows that those which are automatically embedded have width + height specified:

<svg xmlns="http://www.w3.org/2000/svg" width="256" height="256"> ... </svg>
<svg xmlns="http://www.w3.org/2000/svg" width="720" height="720" viewBox="0 0 190.5 190.5" xmlns:v="https://vecta.io/nano"> ... </svg>

The problematic ones do not have such specs:

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256">...</svg>

If I edit a sample SVG by adding such values embedding works.

Link to comment
Share on other sites

Embedding remote SVG images (or allowing your members to) can be a real security risk. SVG images can execute Javascript and potentially allow malicious code to run on pages that have the images embedded.

Since you have 'HTML mode' enabled for your member group, these limitations are being bypassed as well as typical security protections (this is one of the reasons why we have a big notice next to enabling that option).

Link to comment
Share on other sites

6 hours ago, Stuart Silvester said:

Embedding remote SVG images (or allowing your members to) can be a real security risk. (...) Since you have 'HTML mode' enabled for your member group

Not sure where that is coming from in the context of the report... You allow here on your forum to embed direct SVGs otherwise I would not be able to make my test topic.

As for the "HTML mode" on, from my forum perspective:
- My intention is to use internal SVG links (safe SVGs uploaded to my server and linked in some topics)
- HTML mode is enabled only for Administrators and Moderators.

Link to comment
Share on other sites

If we talk about "remote images" then I would say that nothing could be considered to be truly "safe" only by judging the extension. For example, PNG can execute JavaScript too. Currently malware uses steganography to hide in the "plain" images.

 

Link to comment
Share on other sites

Just to clarify:

My main report is related to SVG embedding without HTML on. Supported here on Invision forum.

-----------------------------------

Note that my text related to HTML on in the editor is greyed out (to indicate that is not the main point). That was just my additional test while I was investigating why those particular SVGs refuse to be embedded. And thanks to this I found out that SVG dimensions are the culprit. I do not intend to force SVG embedding that way!

Link to comment
Share on other sites

Hi,

I was wrong, the security issues only really come into play when you allow SVG uploads (I'm not sure where my mind was yesterday when I replied!).

The internal bug report is still open, but out of interest is it Firefox you're using to reproduce this issue? I wasn't able to reproduce it in Chromium based browsers, only Firefox.

Link to comment
Share on other sites

1 hour ago, Stuart Silvester said:

I wasn't able to reproduce it in Chromium based browsers, only Firefox.

Yes, you are right. I am using Firefox. Indeed, now I checked Chrome and the same SVG is embedded (and re-sized too).

BTW.:

1 hour ago, Stuart Silvester said:

the security issues only really come into play when you allow SVG uploads

Out of curiosity, CKEditor 5 implemented SVG upload support. Would that be blocked in the future IPS version?

 

Thanks!

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...