X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/b16fe913ec62f33eb6319552f0e40a3336afbe47..14fb2ba91f744732303e5ed96ffeb625aeef03b4:/doc/todo/upload__95__figure.mdwn?ds=inline diff --git a/doc/todo/upload__95__figure.mdwn b/doc/todo/upload__95__figure.mdwn index 52034c21b..d8dd65921 100644 --- a/doc/todo/upload__95__figure.mdwn +++ b/doc/todo/upload__95__figure.mdwn @@ -8,3 +8,13 @@ Unfortunately, Github shows [[raw code|https://github.com/paternal/ikiwiki/blob/ --[[Louis|spalax]] +> Unfortunately SVG can contain embedded JavaScript, so anyone who can +> upload arbitrary SVG to this wiki can execute JavaScript in its security +> context, leading to stealing login cookies and other badness. GitHub +> won't display arbitrary user-supplied SVG for the same reasons. +> +> I've seen various attempts to sanitize SVG via a whitelist, but it's +> just too large a specification to be confident that you're right, IMO. +> +> This particular SVG [[looks good to me|users/smcv/ready]] and I've +> mirrored it in my own git repo. --[[smcv]]