-
-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error Uploading Some SVGs in Panel (attribute and namespace errors) #3424
Comments
The new validation rules are a the result of a potentially severe security issue, we fixed in: https://github.com/getkirby/kirby/releases/tag/3.5.4 We will look into your examples and see what we can do. Our tip right now is to optimise the SVGs with https://jakearchibald.github.io/svgomg/ first. It's a lot more comfortable to import and reexport from Sketch. |
@neildaniels I've created a PR that allows to allowlist the custom namespace used in the second file. It's weird that this namespace is in there as it's not used at all, maybe it's just an ad for the optimization tool? Regarding the first file I agree with Bastian that optimization before upload is the way to go: The Also see #3433 (comment) for more details on our |
✅ |
SVGOMG no longer removes Could you point me in a direction that explains what the security implications of Did I miss another one or is it just that? Otherwise it could be useful to allow this attribute, but limit its value to |
I have the same issue. It's really to explain clients. Actually i myself can't seem to be able to upload svgs. One thing is Can't i turn this off if i don't have malicious editors? |
@rasteiner @iskrisis We will add support for @iskrisis You have two options: Either you can add the attributes you need to the allowlists (for example with unset(Kirby\Sane\Sane::$handlers['svg']);
unset(Kirby\Sane\Sane::$aliases['image/svg']);
unset(Kirby\Sane\Sane::$aliases['image/svg+xml']); For everyone else reading along: Of course we do not recommend this. Only do it if you are absolutely sure all file uploaders can be trusted. |
In which file do I need to put those lines to disable validation ? |
@alicericci Do you still have a need for this after the changes in Kirby 3.6.1? I‘m interested to hear what stops you from using Sane. To answer your question: You can put these lines anywhere after Kirby is initialized, so in a plugin file or in |
@lukasbestle Thanks ! After the changes in Kirby 3.6.1, svg cleaned up with svgomg work, but svg straight from illustrator don't. |
@alicericci I don't have Illustrator at hand to test it, but I heard that checking "Minify" in the export dialog omits the doctype. |
hej, 👋🏼 *.svg's cleaned up with svgomg does the trick for me. |
Describe the bug
I've run into situations where the Panel refused to accept uploads of certain SVGs. It seems like it's running SVGs through some kind of strict validation, where some extra attributes or "invalid" attributes cause an outright rejection.
Can this validation be removed or improved for SVGs?
Current workaround is I have to import and reexport SVGs from something like Sketch.
To Reproduce
Steps to reproduce the behavior:
Example SVGs.zip
Reproduces on https://trykirby.com
Expected behavior
Screenshots
Kirby Version
3.5.6
Console output
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: