pauamma: Cartooney crab wearing hot pink and acid green facemask holding drink with straw (Default)
Res facta quae tamen fingi potuit ([personal profile] pauamma) wrote in [site community profile] dw_dev2018-03-18 08:25 pm
  • Add Memory
  • Share This Entry
Entry tags:

Question thread #62

It's time for another question thread!

The rules:

- You may ask any dev-related question you have in a comment. (It doesn't even need to be about Dreamwidth, although if it involves a language/library/framework/database Dreamwidth doesn't use, you will probably get answers pointing that out and suggesting a better place to ask.)
- You may also answer any question, using the guidelines given in To Answer, Or Not To Answer and in this comment thread.
Flat | Top-Level Comments Only
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: SVG images

[staff profile] denise 2018-03-26 04:19 pm (UTC)(link)
Sadly, that's not possible, since SVG can contain scripting language and thus can be a security risk. Sorry!

Re: SVG images

(Anonymous) 2018-03-28 08:22 pm (UTC)(link)

I know there's an HTML cleaner that strips all HTML that can be abused. Would an SVG cleaner that passes only white-listed SVG elements be a substantial task? I know I don't use all that many different SVG elements for my vector images, even if we count all the headers and helpers that Inkscape adds as things I use.

Probably obvious, but:
Any kind of cleaner would have to be based on a white-list rather than a black-list, because a black-list can't reasonably be expected to strip every future element with abuse potential, while a white-list that strips safe elements can be updated if enough people are affected to be worth revising the white-list.

Re: SVG images

[personal profile] steve98052 2018-03-28 08:23 pm (UTC)(link)
That was me; I mistakenly replied without logging in.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: SVG images

[staff profile] denise 2018-03-29 04:57 pm (UTC)(link)
No worries. :) I'm not experienced enough to say if a SVG cleaner would alleviate issues -- maybe make a top level dw-dev post about it?

Re: SVG images

[personal profile] steve98052 2018-04-03 03:51 am (UTC)(link)
I did a little research on the matter, but I don't know nearly enough about the innards of Dreamwidth to guess what might fit the task. (If I was wrong about jitemid above, I may understand even less about it than I had thought.) Another consideration is how many people would want SVG support, or use it if it were available.

I found an article about SVG on Wordpress, explaining a little about the problems (which hadn't occurred to me, since I have only ever used the harmless parts of SVG). It points to a sanitizer that might be able to run on Dreamwidth, since it's Perl.

https://bjornjohansen.no/svg-in-wordpress

This is a PHP "sanitizer" for SVG, mentioned in the Wordpress article:

https://github.com/darylldoyle/svg-sanitizer

This is a Javascript santizer for HTML, MathML, and SVG, which was the basis for the PHP sanitizer:

https://github.com/cure53/DOMPurify

This is another PHP sanitizer, which is a lot simpler. That suggests that it's lighter on server load, and easier to validate, but also that it's more likely to reject non-malicious SVG:

https://github.com/alnorris/SVG-Sanitizer


Also, Mediawiki, using on Wikipedia and other Wikimedia sites, supports SVG. But in spite of some searching for how its SVG support works, all I could find is that the general information that it can serve SVG to users whose browsers can render it correctly, but normally it automatically converts to PNG for more consistent behavior between browsers.

One of the points about consistent rendering behavior is that if an SVG file includes text, but requests a font that isn't installed on the machine that does the rendering (the server if the server is automatically converting to PNG, or the client if it's delivering SVG directly), the results may not be as intended.

Wikipedia user documentation advises users who generate SVG images that include text that they should upload two versions: one that has all the text vectorized, and one that includes the native text, the latter so that other users can edit the images without trying to reverse engineer the vectorized text. It also includes a link to a long list of fonts that Wikimedia can correctly render, most of which apparently are somewhat obscure free alternatives to more familiar proprietary fonts.

Sorry I don't have links for the Mediawiki articles, but I bounced around a lot gathering that information, and lost track of where I found it all among the abundance of information scattered around on Wikimedia sites.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: SVG images

[staff profile] denise 2018-04-04 05:26 pm (UTC)(link)

Hmm, reading up on your links a bit, I don't think we could be confident enough in the sanitizers, especially since images in entries can display in a lot of contexts (and with a lot of permissions) and therefore need strict scrutiny. But thank you so much for looking into it more and pointing me to the resources!

Re: SVG images

[personal profile] steve98052 2018-04-05 07:08 am (UTC)(link)

I'll keep looking, and if I can find something that avoids the abundant risks of SVG (even if at the cost of greatly narrowing the extent of what one can do with it) I'll follow up more.

Also, I came across a more limited vector format that might be a possibility, if I can find it again. That might offer another path to vector image support, particularly if there's a good way to save an SVG as the other format.

Re: SVG images

[personal profile] steve98052 2018-04-03 03:53 am (UTC)(link)
Before I toss it out as a top-level message, I figured I'd see whether I'm on the right track, particularly on the question of whether anyone else would find SVG useful.
Flat | Top-Level Comments Only