Marker element being striped out from uploaded SVG

When uploading an SVG the resulting SVG has removed marker elements. Is there a way to stop this from happening?

Example:
dex-unauthenticated

The raw image can be found here:
https://raw.githubusercontent.com/juju-solutions/bundle-kubeflow/1c76d8a0292f0a969f1ce416767ff3d5847508ca/docs/img/dex-unauthenticated.svg

1 Like

I guess we can add the <marker> element to the allowlist. I don’t see any attributes that affect security.

https://github.com/discourse/discourse/blob/ce686a008f97708099efbe9969d1a83f8b8950cf/lib/upload_creator.rb#L9-L13

4 Likes

Thank you, filed a PR to have marker added to the allowlist when uploading an SVG.

4 Likes

For reference WebKit has had security problems with the marker element. The last issue was an RCE in December.

1 Like

Thanks for the fix @anthonydillon !

1 Like