Open ashutosh1206 opened 2 years ago
With cure53, we established that the src
field of an image on the browser doesn't allow the execution of any malicious tags. I'll try to read more though about what happens during compression.
So... it's actually really interesting why it works with the svg.
It uses the OffscreenCanvas feature of the browser. Basically it renders the image there, and then it performs the necessary operations (this is useful because it leverages GPU acceleration in some operation)
So because it is a canvas, you can render anything you want, even an svg. But the results (apparently - pending confirmation) are png/jpeg, because it is converted afterwards.
Noticed that image compression changes the mimetype of an SVG to
image/png
. Combined with https://github.com/capsulesocial/capsule-orbit/issues/425, the image passes through to the backend successfully.There's a check before compression step in the post editor (
src/components/post/Editor.vue
) throwing an error that needs to be disabled:To confirm that mimetype changes due to compression, I disabled it and verified the mimetype of the resultant data URL (it was
image/svg+xml
:Now I am not sure exactly what happens to the image raw data, because that the image gets rendered correctly on the post reader. I am opening an issue since we should probably check if the image raw data is an SVG after compression, or a PNG. Might need to consider security implications if it's an SVG (how the image is loaded on the reader etc.).