Marker element being striped out from uploaded SVG

anthonydillon · September 18, 2020, 8:54am

When uploading an SVG the resulting SVG has removed marker elements. Is there a way to stop this from happening?

Example:
dex-unauthenticated

The raw image can be found here:
https://raw.githubusercontent.com/juju-solutions/bundle-kubeflow/1c76d8a0292f0a969f1ce416767ff3d5847508ca/docs/img/dex-unauthenticated.svg

gerhard · September 18, 2020, 11:13am

I guess we can add the <marker> element to the allowlist. I don’t see any attributes that affect security.

github.com

discourse/discourse/blob/ce686a008f97708099efbe9969d1a83f8b8950cf/lib/upload_creator.rb#L9-L13


WHITELISTED_SVG_ELEMENTS ||= %w{
  circle clippath defs ellipse feGaussianBlur filter g line linearGradient
  path polygon polyline radialGradient rect stop style svg text textpath
  tref tspan use
}.each(&:freeze)

anthonydillon · September 21, 2020, 12:26am

Thank you, filed a PR to have marker added to the allowlist when uploading an SVG.

Stephen · September 18, 2020, 7:33pm

For reference WebKit has had security problems with the marker element. The last issue was an RCE in December.