Open tkacheva opened 6 years ago
@tkacheva do you mean that SVG support can be just returned back or there needs to be a more sophisticated fix for a stored XSS vulnerability?
+1. I use SVGs everywhere I can as modern web designs should. The initial security fix should not have been simply removing upload support for SVG altogether
can you say how to use SVGs everywhere? thank you! @SnarkieDesign
Magento admin media gallery is used by trusted users only. If they want to add malicious JavaScript, they can also do this in a CMS-page with pagebuilder "html" element... Please allow SVG or add an option to enable/disable it.
Originally recorded in MAGETWO-53778 Requires Merchant Documentation: Yes
Proposed Release Note:
Card:
As a Content manager I want to upload SVG file into Magento Media Gallery so that I use it the webstore content
Background:
SVG is not supported in Magento since 2.2 release because of potential security violations (MAGETWO-61189) that assumes JS code can be inserted inside SVG file. Since that there was several issues reported on GitHub:
SVG format grows its popularity and this trend shows that enterprise level of websites use it more often that smaller ones. Key objectives of why .svg support is crucial for advanced content that Magento supports with 2.3 release:
Preconditions:
User is on the following pages:
Acceptance Criteria
Additional information