Uploading a white SVG logo gets it styles removed and becomes black


(Viktor Smári) #1

I am uploading an SVG logo which has these styles included:

<style type="text/css">
.st0{fill:#FFFFFF;}
</style>

When I view the image after upload I don’t see this section, and the logo becomes black.

(The previous SVG logo was black, but I want it now to become white.)

I tried uploading another random image and that worked, then I tried again uploading the white image, and it again, becomes black.

Is the styles section being removed when uploading the SVG?

This is the forum: https://forum.smartcitizen.me/ and the logo after upload: https://forum.smartcitizen.me/uploads/default/original/1X/83af5c7ecbd0eafe044b00537945b2ef4bdef1a2.svg


(Régis Hanol) #2

It’s because we automatically remove <style> in SVGs for security reasons. Try inline styles instead.


Now that I think about it, it’s kinda pointless to block <style> tags but not inline styles…
Maybe we should allow them as this has generated more support question than actual security issues?


(Jeff Atwood) #3

SVG recommendations:

  • Disable all DTD processing, XInclude, XSL, XSI and entity resolution.
  • SVG files can include JavaScript, so that has to be disabled

I don’t think <style> is dangerous and I can’t remember why we originally did this… but the above definitely should be checked.


(Régis Hanol) #4

You can load external files in CSS, so you can do things like track users.
But I don’t remember seeing any security issues though.

We only allow these SVG elements


(Régis Hanol) #5

I’ve now allowed <style> elements in SVGs


(Régis Hanol) closed #6

This topic was automatically closed after 5 hours. New replies are no longer allowed.