-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload SVG images blocked #16795
Comments
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16795 |
closed as duplicated Report of #14356 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795. |
Re-opening. #14356 is specific to com_fields and this is more generic |
Looking into this it's caused by line 294 on 'xml', 'xmp', '!DOCTYPE', '!--', to be exact. Each of these is a match within an SVG. My only thought is to add an exception here if it is an <SVG and run a basic sanitizer through it? |
@tonypartridge any Progress on this? This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795. |
This might be a viable solution.. https://github.com/darylldoyle/svg-sanitizer |
@tonypartridge idk where you got that path from.. It doesn't exist in current J! staging. |
@N6REJ The path has changed for 3.8 I believe. it is now: |
As an intermediate step could svg upload/edit support be added in Templates:Customize? That would have the ACL restrictions for uploading already taken care of. It also allows for the more likely use case of svg's as a template elements rather than end user uploads via media manager. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795. |
try this: #13499 |
As @dgt41 stated, webp is not implemented either so this would be a perfect time to make this happen. |
why add support for an image format that is not supported on the set of browsers joomla supports |
Users can deploy Joomla sites with higher requirements than what we offer support for out-of-the-box. |
Are we talking for Joomla 3 or 4 here? |
@dgt41 thanks for the suggestion. My use case is for uploading and editing svg's within the template manager. I am able to upload but not to edit within the code editor at Templates:Customize. I am not even making a big push for svg inclusion in media manager. I am advocating for the ability to make adjustments to existing svg's as template elements. As I suggested above, inclusion in just templates provides better ACL control than broader implementation and provides for the most likely scenario of using them as template design elements rather than content items. |
@dgt41 exactly. Just thought other developers might also appreciate this flexibility rather than having to break out an IDE to tweak a color or other parameter on an svg element used in a template. I am sensitive to @brianteeman comments about unsupported image formats and I am aware of the security concerns that svg's introduce. It is just that I am seeing more svg implementation in templates and frameworks (specifically Gantry). |
Please test PR #28599. |
Steps to reproduce the issue
Upload SVG image, even if the media manager is accepting it it is blocked.
Expected result
Uploading is working if the media manager that is used accept them (Ark Media in my case).
Actual result
On upload it is blocked by Joomla
Here you can find my post on ArkExtensions where the developer is explaining to me what the problem is.
http://arkextensions.com/technical-support/4954-svg-image-file-type-not-right-on-upload#reply-4958
Additional comments
I understand SVG is a security issue, there it is not my expertise i am happy people make it secure.
But SVG is a really nice way to show logo's and certain images that needs to be great in different sizes.
Is there a way to keep it secure but giving ACL to the upload function so i as super user can upload images?
Thanks!
The text was updated successfully, but these errors were encountered: