Linking to a remote SVG breaks the image when it gets downloaded and fixed by system


(Simon) #1

Specifically I added the link for the nodejs logo to our forum. A few moments later it was edited by the “system”:

Original post here: Branding LibreOffice 6.0 - Logo design and branding - Open Source Design


(Rafael dos Santos Silva) #2

Yes, like it’s written on the yellow edit message, the system downloaded a local copy of the image.

This is a feature of Discourse so hot linked images are downloaded so they won’t go missing.

There are some site settings to tweak this behavior if you don’t like the defaults.


(Joshua Rosenfeld) #3

@Falco, the issue isn’t the download of the image from remote, it’s that the image changed! Notice the letter “o” in node looks different in the remote image than the local image.


(Rafael dos Santos Silva) #4

Oh, I see. So the question is: “SVG optimizer broke this specific image”.


(Jeff Atwood) #5

We’ve seen this before, it has to do with the whitelister not liking aspects of the SVG. Searching should pick it up… let’s see


(Rafael dos Santos Silva) #6

This time this image has no style tags. My bet is the clip-path="url(#a)" that sounds like exploitable.