Avatars with .svg extension dont loaded in 2.2.0.beta3 +64 version

jandres · October 18, 2018, 6:58pm

I am trying from a while to upload an svg image for my avatar but it’s impossible.

When a update to 2.2.0.beta3 +64 version, all user having avatar image with svg extension was replaced by default image

codinghorror · October 18, 2018, 8:23pm

I am not sure we even want to support this cc @tgxworld ?

sam · October 19, 2018, 3:16am

Yeah we should block svg avatars

tgxworld · October 19, 2018, 8:16am

I had a look here and confirmed this is a regression.

https://github.com/discourse/discourse/blob/5f86564da1bc7c921bf1ed791b3ebc00b5917525/app/models/optimized_image.rb#L32

There was a change made to use IM_DECODERS to verify if an image can be optimized but we actually don’t need to optimize SVGs at all. What used to happen in the previous versions is that SVG “optimized images” are basically a copy of the original image.

https://github.com/discourse/discourse/blob/5f86564da1bc7c921bf1ed791b3ebc00b5917525/app/models/optimized_image.rb#L79-L80

I think we should just avoid creating optimized images for SVG altogether and retain support.

Stephen · October 19, 2018, 8:28am

Do we do anything to strip script tags from within SVG? Are they handled as <img> or <object>?

jandres · October 19, 2018, 1:53pm

There are a real problem to handle svg images as avatars?

Until now, the avatar images in svg have worked perfectly. I don’t understand why the headache

codinghorror · October 19, 2018, 11:50pm

Too much of a security and performance and complexity risk. Nobody needs a SVG avatar.

sam · November 7, 2018, 4:31am

We had a bunch of internal regressions around svg support, very few noticed it cause very few bother whitelisting svgs.

This is now fixed:

https://github.com/discourse/discourse/commit/0a442e319c45b91a2ce7b59efad1045596a323dd

Stephen · November 7, 2018, 5:48am

So SVG now works, except as avatars?

sam · November 7, 2018, 5:49am

If SVG is the poison you are into drinking and you enable it, it works for avatars and inside posts.

It was pretty broken previously.

Stephen · November 7, 2018, 6:10am

You both agreed above that they were a Very Bad Idea only three weeks ago, out of curiosity what changed?

sam · November 7, 2018, 6:15am

It was easier just to fix the underlying bug. It is more work to block it and add a test for blocking it, the risk of allowing svg avatars is not too high.

I will probably revisit this and block it unconditionally though cause there are just too many edge cases which make me uneasy.

In particular you could set an svg avatar to say a 500k image and that is the thumbnail and everything, that would be brutal, fixing that edge case is not worth the effort.

sam · November 10, 2018, 7:00am

This topic was automatically closed after 3 days. New replies are no longer allowed.

Topic		Replies	Views
SVG avatar and profile summary layout issue Bug	2	627	March 20, 2020
Svg mobile logo scales incorrectly Bug	14	865	March 11, 2023
Avatars became default after 2.2 beta upgrade - due to regression in azure blob plugin Support	20	1414	February 9, 2019
Uploading a white SVG logo gets it styles removed and becomes black Bug	5	865	February 7, 2019
Add the .svg file extension to "image files" Feature	6	1051	December 18, 2021

Avatars with .svg extension dont loaded in 2.2.0.beta3 +64 version

Related topics