Avatars with .svg extension dont loaded in 2.2.0.beta3 +64 version

I am trying from a while to upload an svg image for my avatar but it’s impossible.

When a update to 2.2.0.beta3 +64 version, all user having avatar image with svg extension was replaced by default image
image

I am not sure we even want to support this cc @tgxworld ?

1 Like

Yeah we should block svg avatars

3 Likes

I had a look here and confirmed this is a regression.

https://github.com/discourse/discourse/blob/5f86564da1bc7c921bf1ed791b3ebc00b5917525/app/models/optimized_image.rb#L32

There was a change made to use IM_DECODERS to verify if an image can be optimized but we actually don’t need to optimize SVGs at all. What used to happen in the previous versions is that SVG “optimized images” are basically a copy of the original image.

https://github.com/discourse/discourse/blob/5f86564da1bc7c921bf1ed791b3ebc00b5917525/app/models/optimized_image.rb#L79-L80

I think we should just avoid creating optimized images for SVG altogether and retain support.

4 Likes

Do we do anything to strip script tags from within SVG? Are they handled as <img> or <object>?

1 Like

There are a real problem to handle svg images as avatars?

Until now, the avatar images in svg have worked perfectly. I don’t understand why the headache

Too much of a security and performance and complexity risk. Nobody needs a SVG avatar.

2 Likes

We had a bunch of internal regressions around svg support, very few noticed it cause very few bother whitelisting svgs.

This is now fixed:

https://github.com/discourse/discourse/commit/0a442e319c45b91a2ce7b59efad1045596a323dd

2 Likes

So SVG now works, except as avatars?

If SVG is the poison you are into drinking and you enable it, it works for avatars and inside posts.

It was pretty broken previously.

1 Like

You both agreed above that they were a Very Bad Idea only three weeks ago, out of curiosity what changed?

It was easier just to fix the underlying bug. It is more work to block it and add a test for blocking it, the risk of allowing svg avatars is not too high.

I will probably revisit this and block it unconditionally though cause there are just too many edge cases which make me uneasy.

In particular you could set an svg avatar to say a 500k image and that is the thumbnail and everything, that would be brutal, fixing that edge case is not worth the effort.

2 Likes

This topic was automatically closed after 3 days. New replies are no longer allowed.