[#16795] - Upload SVG images blocked
- Closed
- 7 Apr 2020
- Medium
- Build: 4.0-dev
- # 16795
Steps to reproduce the issue
Upload SVG image, even if the media manager is accepting it it is blocked.
Expected result
Uploading is working if the media manager that is used accept them (Ark Media in my case).
Actual result
On upload it is blocked by Joomla
Here you can find my post on ArkExtensions where the developer is explaining to me what the problem is.
http://arkextensions.com/technical-support/4954-svg-image-file-type-not-right-on-upload#reply-4958
Additional comments
I understand SVG is a security issue, there it is not my expertise i am happy people make it secure.
But SVG is a really nice way to show logo's and certain images that needs to be great in different sizes.
Is there a way to keep it secure but giving ACL to the upload function so i as super user can upload images?
Thanks!
| Status | New | ⇒ | Duplicate Report |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-06-21 08:05:48 |
| Closed_By | ⇒ | franz-wohlkoenig | |
| Rel_Number | 0 | ⇒ | 14356 |
| Relation Type | ⇒ | Duplicate of |
| Status | Duplicate Report | ⇒ | Closed |
| Closed_By | franz-wohlkoenig | ⇒ | joomla-cms-bot |
| Rel_Number | 14356 | ⇒ | 0 |
| Relation Type | Duplicate of | ⇒ |
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16795
| Category | ⇒ | com_media |
| Status | Closed | ⇒ | New |
| Closed_Date | 2017-06-21 08:05:48 | ⇒ | |
| Closed_By | joomla-cms-bot | ⇒ |
| Status | New | ⇒ | Discussion |
Looking into this it's caused by line 294 on
libraries/cms/helper/media.php
'xml', 'xmp', '!DOCTYPE', '!--',
to be exact. Each of these is a match within an SVG.
My only thought is to add an exception here if it is an <SVG and run a basic sanitizer through it?
| Status | Discussion | ⇒ | Information Required |
@tonypartridge any Progress on this?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795.
I tried to go to his site... way uncool
This might be a viable solution.. https://github.com/darylldoyle/svg-sanitizer
@tonypartridge idk where you got that path from.. It doesn't exist in current J! staging.
| Status | Information Required | ⇒ | Discussion |
As an intermediate step could svg upload/edit support be added in Templates:Customize?
That would have the ACL restrictions for uploading already taken care of. It also allows for the more likely use case of svg's as a template elements rather than end user uploads via media manager.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795.
why add support for an image format that is not supported on the set of browsers joomla supports
Users can deploy Joomla sites with higher requirements than what we offer support for out-of-the-box.
so this would be a perfect time to make this happen
Are we talking for Joomla 3 or 4 here?
@dgt41 thanks for the suggestion. My use case is for uploading and editing svg's within the template manager. I am able to upload but not to edit within the code editor at Templates:Customize. I am not even making a big push for svg inclusion in media manager. I am advocating for the ability to make adjustments to existing svg's as template elements. As I suggested above, inclusion in just templates provides better ACL control than broader implementation and provides for the most likely scenario of using them as template design elements rather than content items.
@dgt41 exactly. Just thought other developers might also appreciate this flexibility rather than having to break out an IDE to tweak a color or other parameter on an svg element used in a template. I am sensitive to @brianteeman comments about unsupported image formats and I am aware of the security concerns that svg's introduce. It is just that I am seeing more svg implementation in templates and frameworks (specifically Gantry).
| Labels |
Added:
J3 Issue
|
||
jwaisner
- | Status | Discussion | ⇒ | New |
| Build | 3.7.2 | ⇒ | 4.0-dev |
| Category | com_media | ⇒ | com_media Feature Request |
Quy
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-04-07 17:55:33 |
| Closed_By | ⇒ | Quy |
closed as duplicated Report of #14356
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795.