(how) Is it possible to add a base64 image in the README

[khameeteman]

I am trying to add an image in the README of my project, which currently looks like:

<p align="center">
  <img src="url-to-svg" />
</p>

However, I would like to remove the dependency of this url. Instead, would it be possible to simply add the base64 as image source, or allow for the <svg> tag directly?

<p align="center">
  <img src="data:image/svg+xml;base64..." />
</p>

[miketheman]

@khameeteman I think you're hitting up against an old rule that only allows specific protocols like http:// and https:// to be used in URIs, per bleach https://github.com/mozilla/bleach/blob/6cd4d527a6b43569c1e1490e632500199b1efb6c/bleach/sanitizer.py#L35-L36

Since Data URIs can contain unsafe content to be run on the website viewing the content, we generally disallow that kind of behavior due to security concerns, since we don't control the inputs.

Hopefully this explains why we don't currently allow base64-encoded strings as images.

[khameeteman]

@miketheman thanks for the references, that makes sense.

And what about using <svg> directly?

[miketheman]

@khameeteman Similar vulnerabilities apply to SVG as well - since we'd be accepting untrusted code to execute in the context of the user's browser. A search for svg xss will turn up a fair amount of reports on the subject.