SVG broken only in Firefox when discourse copies it from external url

When a URL is posted and it makes a onebox and the image in the onebox is an SVG then Discourse is breaking the SVG in the onebox for and only on Firefox when the original SVG still works in Firefox fine otherwise. They have the same SVG commands, not scripting, fairly basic, it’s not even really minimized any to make shrinking it worthwhile.

The URL posted was (though any on that site the image breaks only in firefox):

The URL for the original SVG image is:

The diff from the working one to the broken one is:

< <svg xmlns:rdf="" xmlns="" height="128" width="128" version="1.1" xmlns:cc="" xmlns:xlink="" viewBox="0 0 128 128" xmlns:dc="">
> <svg xmlns:rdf="" xmlns="" xmlns:cc="" xmlns:xlink="" xmlns:dc="" height="128" width="128" version="1.1" viewBox="0 0 128 128">
< <linearGradient id="ac">
< <stop stop-color="#f0f04d" stop-opacity=".99608" offset="0"/>
< <stop stop-color="#aeae0c" stop-opacity=".99608" offset="1"/>
< </linearGradient>
< <linearGradient id="m" y2="137.8" xlink:href="#ac" gradientUnits="userSpaceOnUse" x2="263.27" gradientTransform="matrix(1.1228 0 0 1.1228 -185.11 -44.664)" y1="55.762" x1="181.48"/>
> <linearGradient id="m" y2="137.8" xlink:href="#b" gradientUnits="userSpaceOnUse" x2="263.27" gradientTransform="matrix(1.1228 0 0 1.1228 -185.11 -44.664)" y1="55.762" x1="181.48"/>
< <filter id="aa" style="color-interpolation-filters:sRGB" height="1.096" width="1.096" y="-0.048" x="-0.048">
< <feGaussianBlur stdDeviation="0.3791185"/>
< </filter>
< <filter id="z" style="color-interpolation-filters:sRGB" height="1.072" width="1.072" y="-0.036" x="-0.036">
< <feGaussianBlur stdDeviation="0.28433887"/>
< </filter>
< <filter id="y" style="color-interpolation-filters:sRGB" height="1.0711" width="1.0144" y="-.035541" x="-.0072186">
< <feGaussianBlur stdDeviation="0.16239486"/>
< </filter>
< <filter id="x" style="color-interpolation-filters:sRGB" height="1.0472" width="1.0161" y="-.023612" x="-.0080441">
< <feGaussianBlur stdDeviation="0.25528133"/>
< </filter>
< <filter id="w" style="color-interpolation-filters:sRGB" height="1.0396" width="1.0609" y="-.019809" x="-.030441">
< <feGaussianBlur stdDeviation="0.17757398"/>
< </filter>
< <filter id="v" style="color-interpolation-filters:sRGB" height="1.048" width="1.048" y="-.024" x="-.024">
< <feGaussianBlur stdDeviation="0.18636459"/>
< </filter>
< <filter id="u" style="color-interpolation-filters:sRGB" height="1.0294" width="1.0075" y="-.014688" x="-0.00377">
< <feGaussianBlur stdDeviation="0.13234916"/>
< </filter>
< <filter id="t" style="color-interpolation-filters:sRGB" height="1.0257" width="1.0078" y="-.012867" x="-.0039121">
< <feGaussianBlur stdDeviation="0.10401907"/>
< </filter>
< <filter id="s" style="color-interpolation-filters:sRGB" height="1.0123" width="1.0117" y="-.0061614" x="-.0058468">
< <feGaussianBlur stdDeviation="0.18272288"/>
< </filter>
< <filter id="r" style="color-interpolation-filters:sRGB" height="1.2179" width="1.0127" y="-.10897" x="-.0063496">
< <feGaussianBlur stdDeviation="0.12714919"/>
< </filter>
< <filter id="q" style="color-interpolation-filters:sRGB" height="1.0209" width="1.0013" y="-.010451" x="-.00063654">
< <feGaussianBlur stdDeviation="0.016550724"/>
< </filter>

I notice these forums did not auto-download the image instantly and optimize it as it did on the website the issue is taking place on (perhaps just a delay), the site link with an example of the issue is at:

At the very least, an option to not run the optimizer (sanitizer is fine, there is nothing to sanitize in that svg anyway) would be useful so could at least not break things.

It looks like it is removing the gaussian blur filters while the links ‘to’ those filters remain.

Manually adding the missing feGaussianBlur's back in fixes it and the SVG properly reappears.

Further testing shows that removing the filter attributes from the path’s also fixes it (though doesn’t look quite perfect due to the missing slight blur).

So as it stands, discourse is removing the gaussian blur filter elements while leaving the named references to them in the rest of the nodes. Discourse needs to either not remove the filter nodes that contains elements that are not script-issues (gaussian blur is not) or it needs to remove the associated attributes that are referencing the now missing filter elements. Leaving it in this half-state is broken.

I suspect this is a bug with imagemagick (which we use to optimize images)? As you said, somewhere in the process the filter elements are being stripped out.

Chrome/Safari tend to be a lot less strict about SVGs, so the shapes still render there — but the missing filters stop Firefox from rendering those shapes at all.

Ah, yeah imagemagick really shouldn’t be used on SVG’s, it has a lot of issues with them from personal experiences in the past and I haven’t heard of it having gotten better either (replacement projects have popped up for SVG specific handling instead, mostly in the node world for whatever reason…). I’d be fine with not optimizing SVG’s at all, just a sanitization thing to remove bad things like script tags or so forth.

Yep, that’s what I discovered as well, Firefox is strict to the spec, Chrome is… not.


We run our SVGs through a whitelist, @zogstrip are there more things we should be whitelisting?

Also for the record I am on Firefox and the onebox above appears to be working fine.


FTR, here’s what I see in latest Chrome on Windows 10

Here’s what I see in latest Firefox on Windows 10

I fixed the issue by allowing feGaussianBlur and filter svg elements.

We don’t optimize SVGs. We just “whitelist” them.


I’m curious about that, what version of Firefox on which OS? I tested the latest released Firefox on both linux and Win10 and they both shows the same issue as well as tested the developer edition of firefox on Win10 with the same issue. (EDIT: I also tested Firefox on android, it also had the same issue)

I fixed the issue by allowing feGaussianBlur and filter svg elements.

Awesome thanks! I’ll pull latest shortly and will report if further issues on newly posted links. :slight_smile:

I still find it odd that it left broken references. Even if it removes elements it should still fixup any links to them or the SVG can fail to render, as in this case.

Yeah, it’s a rather dumb whitelister that just removes non-whitelisted nodes. It doesn’t understand SVG and will thus not remove any references to the removed nodes.


Does ruby have any good SVG processors that could do a better job? I know the C++ and nodejs worlds have some pretty great ones but I haven’t really touched ruby.

EDIT: If I’m reading that whitelister right it seems to allow in a lot of security issues in regards to attributes and more… A proper sanitizer really might be better to look at…

I am on Firefox 66.0.2 on Arch Linux.

Interesting, I’m using 67.0b1 on ubuntu right now and it shows the broken SVG…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.