X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/b16fe913ec62f33eb6319552f0e40a3336afbe47..f5a1550441a9d58652d93deacc333f143a7ecfbd:/doc/todo/upload__95__figure.mdwn diff --git a/doc/todo/upload__95__figure.mdwn b/doc/todo/upload__95__figure.mdwn index 52034c21b..a63e183e8 100644 --- a/doc/todo/upload__95__figure.mdwn +++ b/doc/todo/upload__95__figure.mdwn @@ -8,3 +8,15 @@ Unfortunately, Github shows [[raw code|https://github.com/paternal/ikiwiki/blob/ --[[Louis|spalax]] +> Unfortunately SVG can contain embedded JavaScript, so anyone who can +> upload arbitrary SVG to this wiki can execute JavaScript in its security +> context, leading to stealing login cookies and other badness. GitHub +> won't display arbitrary user-supplied SVG for the same reasons. +> +> I've seen various attempts to sanitize SVG via a whitelist, but it's +> just too large a specification to be confident that you're right, IMO. +> +> This particular SVG [[looks good to me|users/smcv/ready]] and I've +> mirrored it in my own git repo. --[[smcv]] + +>> [[merged|done]] --[[smcv]]