Luuuk Posted March 15, 2023 Posted March 15, 2023 Hi, I noticed (and confirmed here under "Test Posting" too) that auto embedding works for "smaller" SVG (or at least that is a common factor for me), for example: https://upload.wikimedia.org/wikipedia/commons/4/42/Adobe_Acrobat_DC_logo_2020.svg https://upload.wikimedia.org/wikipedia/commons/e/e1/Google_Chrome_icon_%28February_2022%29.svg But "bigger" ones are not detected, for example: https://upload.wikimedia.org/wikipedia/commons/9/98/Microsoft_Edge_logo_%282019%29.svg https://upload.wikimedia.org/wikipedia/commons/e/e1/Thunderbird_Logo%2C_2018.svg [If I upload them to my server under shortened name and insert as "embedded" via HTML Source they display just fine but their size can no longer be changed/adjusted via editor by double click because a template error occurs (the Default theme returns it too): [Template core/global/editor/image is throwing an error.] Is there any specific limit or other reason why some SVG can't be embedded?
Luuuk Posted March 15, 2023 Author Posted March 15, 2023 Just to add, opening SVGs in a text editor shows that those which are automatically embedded have width + height specified: <svg xmlns="http://www.w3.org/2000/svg" width="256" height="256"> ... </svg> <svg xmlns="http://www.w3.org/2000/svg" width="720" height="720" viewBox="0 0 190.5 190.5" xmlns:v="https://vecta.io/nano"> ... </svg> The problematic ones do not have such specs: <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256">...</svg> If I edit a sample SVG by adding such values embedding works. SeNioR- 1
Marc Posted March 15, 2023 Posted March 15, 2023 Thank you for bringing this issue to our attention! I can confirm this should be further reviewed and I have logged an internal bug report for our development team to investigate and address as necessary, in a future maintenance release. SeNioR- and Luuuk 1 1
Stuart Silvester Posted March 16, 2023 Posted March 16, 2023 Embedding remote SVG images (or allowing your members to) can be a real security risk. SVG images can execute Javascript and potentially allow malicious code to run on pages that have the images embedded. Since you have 'HTML mode' enabled for your member group, these limitations are being bypassed as well as typical security protections (this is one of the reasons why we have a big notice next to enabling that option). SeNioR- 1
Luuuk Posted March 17, 2023 Author Posted March 17, 2023 6 hours ago, Stuart Silvester said: Embedding remote SVG images (or allowing your members to) can be a real security risk. (...) Since you have 'HTML mode' enabled for your member group Not sure where that is coming from in the context of the report... You allow here on your forum to embed direct SVGs otherwise I would not be able to make my test topic. As for the "HTML mode" on, from my forum perspective: - My intention is to use internal SVG links (safe SVGs uploaded to my server and linked in some topics) - HTML mode is enabled only for Administrators and Moderators.
Randy Calvert Posted March 17, 2023 Posted March 17, 2023 I think it’s a more of a “just because you can, it was not intended for you to do it” thing. My guess is they’re not directly wanting to support you trying to do what you’re doing despite that it works in some circumstances.
Luuuk Posted March 17, 2023 Author Posted March 17, 2023 If we talk about "remote images" then I would say that nothing could be considered to be truly "safe" only by judging the extension. For example, PNG can execute JavaScript too. Currently malware uses steganography to hide in the "plain" images.
Luuuk Posted March 17, 2023 Author Posted March 17, 2023 Just to clarify: My main report is related to SVG embedding without HTML on. Supported here on Invision forum. ----------------------------------- Note that my text related to HTML on in the editor is greyed out (to indicate that is not the main point). That was just my additional test while I was investigating why those particular SVGs refuse to be embedded. And thanks to this I found out that SVG dimensions are the culprit. I do not intend to force SVG embedding that way!
Stuart Silvester Posted March 17, 2023 Posted March 17, 2023 Hi, I was wrong, the security issues only really come into play when you allow SVG uploads (I'm not sure where my mind was yesterday when I replied!). The internal bug report is still open, but out of interest is it Firefox you're using to reproduce this issue? I wasn't able to reproduce it in Chromium based browsers, only Firefox.
Luuuk Posted March 17, 2023 Author Posted March 17, 2023 1 hour ago, Stuart Silvester said: I wasn't able to reproduce it in Chromium based browsers, only Firefox. Yes, you are right. I am using Firefox. Indeed, now I checked Chrome and the same SVG is embedded (and re-sized too). BTW.: 1 hour ago, Stuart Silvester said: the security issues only really come into play when you allow SVG uploads Out of curiosity, CKEditor 5 implemented SVG upload support. Would that be blocked in the future IPS version? Thanks!
Stuart Silvester Posted March 20, 2023 Posted March 20, 2023 I wouldn't expect so, we don't have any plans right now to allow SVG upload on the front-end. If there was complete control over the hosting environment (which there isn't with the classic option) it wouldn't be so much of a security risk. Luuuk 1
Recommended Posts