Marker element being striped out from uploaded SVG

anthonydillon · September 18, 2020, 8:54am

When uploading an SVG the resulting SVG has removed marker elements. Is there a way to stop this from happening?

Example:
dex-unauthenticated

gerhard · September 18, 2020, 11:13am

I guess we can add the <marker> element to the allowlist. I don’t see any attributes that affect security.

anthonydillon · September 18, 2020, 3:54pm

Thank you, filed a PR to have marker added to the allowlist when uploading an SVG.

Stephen · September 18, 2020, 7:33pm

For reference WebKit has had security problems with the marker element. The last issue was an RCE in December.

sam · July 6, 2021, 1:08am

Thanks for the fix @anthonydillon !

Topic		Replies	Views
Uploading a white SVG logo gets it styles removed and becomes black bug	5	806	February 7, 2019
Svg as custom badge support	2	304	November 1, 2021
Avatars with .svg extension dont loaded in 2.2.0.beta3 +64 version bug	12	4000	November 10, 2018
SVG Upload works, but broken url to image bug	3	1528	June 22, 2016
The badge grant selector could be improved in a few ways ux badges	0	240	May 5, 2023