Open GoogleCodeExporter opened 9 years ago
GoogleCodeExporter
commented
9 years ago NOTE: no other browsers exhibit this problem:
* Firefox does not allow SVG images as a source in <image>
* Safari/Chrome do not appear to execute the scriptOriginal comment by codedr...@gmail.com on 19 Jan 2010 at 6:40
GoogleCodeExporter
commented
9 years ago Isn't it normal that a SVG file can run a script inside a SVG?
I know this can cause security issues, but doesn't the specs allow this, for
animation and stuff?
I have a SVG grid which is drawn in JavaScript:
http://imgh.us/197_grid_ericjames_10x10.svg
It's nice, I insert an image in SVG-edit and points to it, and I get a grid to
drawn on.
Alright, a raster image shouldn't have a SVG extension, but I'm glad it's
allowed. :-)Original comment by worms_...@yahoo.com on 19 Jan 2010 at 7:57
GoogleCodeExporter
commented
9 years ago I should clarify that there are two things going on:
#1) we are not importing the SVG when we include an <image>, so there's no
white-list
scrubbing etc (in fact, no guarantee that we can even display teh image at all,
let
alone run scripts from some other source). I'm not sure what the spec says on
this
matter. If it's legal to have scripts in a foreign <image> and the browser
should
run them, that seems... dangerous. If it's illegal then this would seem to be
an
issue with Opera only and probably should be tracked as a bug against them. I
know
that for HTML:img there was some spec discussion that all scripts should be
ignored,
but not sure about SVG:image.
#2) for loading and importing images into our document, we can use our
whitelist to
scrub the incoming issue of all security risksOriginal comment by codedr...@gmail.com on 19 Jan 2010 at 8:11
Original issue reported on code.google.com by
codedr...@gmail.comon 19 Jan 2010 at 6:39