X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/b16fe913ec62f33eb6319552f0e40a3336afbe47..ef0b4a11814823add81ee4551b9bbcfca894648d:/doc/todo/upload__95__figure.mdwn

diff --git a/doc/todo/upload__95__figure.mdwn b/doc/todo/upload__95__figure.mdwn
index 52034c21b..a63e183e8 100644
--- a/doc/todo/upload__95__figure.mdwn
+++ b/doc/todo/upload__95__figure.mdwn
@@ -8,3 +8,15 @@ Unfortunately, Github shows [[raw code|https://github.com/paternal/ikiwiki/blob/
 
 --[[Louis|spalax]]
 
+> Unfortunately SVG can contain embedded JavaScript, so anyone who can
+> upload arbitrary SVG to this wiki can execute JavaScript in its security
+> context, leading to stealing login cookies and other badness. GitHub
+> won't display arbitrary user-supplied SVG for the same reasons.
+>
+> I've seen various attempts to sanitize SVG via a whitelist, but it's
+> just too large a specification to be confident that you're right, IMO.
+>
+> This particular SVG [[looks good to me|users/smcv/ready]] and I've
+> mirrored it in my own git repo. --[[smcv]]
+
+>> [[merged|done]] --[[smcv]]