I am uploading an SVG logo which has these styles included:
<style type="text/css">
.st0{fill:#FFFFFF;}
</style>
When I view the image after upload I don’t see this section, and the logo becomes black.
(The previous SVG logo was black, but I want it now to become white.)
I tried uploading another random image and that worked, then I tried again uploading the white image, and it again, becomes black.
Is the styles section being removed when uploading the SVG?
This is the forum: https://forum.smartcitizen.me/ and the logo after upload: https://forum.smartcitizen.me/uploads/default/original/1X/83af5c7ecbd0eafe044b00537945b2ef4bdef1a2.svg
zogstrip
February 7, 2019, 9:41am
2
It’s because we automatically remove <style> in SVGs for security reasons. Try inline styles instead.
Now that I think about it, it’s kinda pointless to block <style> tags but not inline styles…
3 Likes
exploit, file-upload
SVG recommendations:
Disable all DTD processing, XInclude, XSL, XSI and entity resolution.
SVG files can include JavaScript, so that has to be disabled
I don’t think <style> is dangerous and I can’t remember why we originally did this… but the above definitely should be checked.
2 Likes
zogstrip
February 7, 2019, 10:22am
4
You can load external files in CSS, so you can do things like track users .
We only allow these SVG elements
https://github.com/discourse/discourse/blob/19386ec2ea8dacb5574e5218c672370e12c83723/lib/upload_creator.rb#L10-L13
3 Likes
zogstrip
February 7, 2019, 11:09am
5
7 Likes
zogstrip
February 7, 2019, 5:00pm
6
This topic was automatically closed after 5 hours. New replies are no longer allowed.
