Uploading a white SVG logo gets it styles removed and becomes black

I am uploading an SVG logo which has these styles included:

<style type="text/css">
.st0{fill:#FFFFFF;}
</style>

When I view the image after upload I don’t see this section, and the logo becomes black.

(The previous SVG logo was black, but I want it now to become white.)

I tried uploading another random image and that worked, then I tried again uploading the white image, and it again, becomes black.

Is the styles section being removed when uploading the SVG?

This is the forum: https://forum.smartcitizen.me/ and the logo after upload: https://forum.smartcitizen.me/uploads/default/original/1X/83af5c7ecbd0eafe044b00537945b2ef4bdef1a2.svg

It’s because we automatically remove <style> in SVGs for security reasons. Try inline styles instead.


Now that I think about it, it’s kinda pointless to block <style> tags but not inline styles…
Maybe we should allow them as this has generated more support question than actual security issues?

3 Likes

SVG recommendations:

  • Disable all DTD processing, XInclude, XSL, XSI and entity resolution.
  • SVG files can include JavaScript, so that has to be disabled

I don’t think <style> is dangerous and I can’t remember why we originally did this… but the above definitely should be checked.

2 Likes

You can load external files in CSS, so you can do things like track users.
But I don’t remember seeing any security issues though.

We only allow these SVG elements

3 Likes

I’ve now allowed <style> elements in SVGs

https://github.com/discourse/discourse/commit/c256121833008057f9f6834f9268aa77e0fc9ea2

7 Likes

This topic was automatically closed after 5 hours. New replies are no longer allowed.