What is it with fedi server software (looking at you, @Mastodon and @pixelfed ) not accepting SVG image uploads?..


@rysiek @Mastodon @pixelfed WordPress also doesn't allow SVG by default, and my understanding is it's because they can contain javascript.

@secretpeej @Mastodon @pixelfed they're already generating all sorts of previews anyway. Might as well just convert SVGs to PNGs.

@secretpeej @rysiek @Mastodon @pixelfed

This was a long-time issue in as well, where GH did offer SVG support, Gitea did not.

Here's the discussion. I did not look into the PR code, but believe they sanitize the SVG code. There's also a link to possible exploits if not doing that.


@humanetech @secretpeej @Mastodon @pixelfed sanitizing SVG is a fiendishly complicated affair, but it got better since last time I needed to deal with it -- `Content-Security-Policy: script-src 'none'` now exists.

This does require a separate domain/subdomain for hosting SVGs though, complicating deployment.

That's why I think converting server-side is the way to go.


@rysiek @secretpeej @Mastodon @pixelfed


Again, I didn't read the full details, but believe that gitea went with a 'safe enough' approach that does not require a separate (sub)domain.

The last PR at the bottom of the issue has some good details in comments.

· · Web · 0 · 0 · 0
Sign in to participate in the conversation

The original server operated by the Mastodon gGmbH non-profit