No Code Attached Yet bug
avatar ChristineWk
ChristineWk
15 Jun 2022

Steps to reproduce the issue

Upload svg file as logo in cassiopeia.
A message appears: An error has occurred.

Expected result

Solution: Under Media you have to allow svg in several places
file types; image/svg+xml
Valid image file extensions: svg
Allowed extensions: svg

Actual result

If you do not enter all types (see above). A message appears: An error has occurred.

Additional comments

Feature Rquest: Wouldn't it make sense to offer such information directly where the problem can occur?
Eg by displaying a small question mark icon and behind it the information that you first have to set e.g. svg "on" at this point or that.
Thank you.

avatar ChristineWk ChristineWk - open - 15 Jun 2022
avatar ChristineWk ChristineWk - change - 15 Jun 2022
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 15 Jun 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 15 Jun 2022
avatar chmst
chmst - comment - 15 Jun 2022

There is indeed some need for information and documentation. Maybe we can add information for cassiopeia?
@drmenzelit

avatar brianteeman
brianteeman - comment - 15 Jun 2022

The problem is that there is a bug and the correct error message is not being displayed.

avatar ChristineWk
ChristineWk - comment - 15 Jun 2022

The problem is that there is a bug and the correct error message is not being displayed.

would a PR be possible?

avatar richard67 richard67 - change - 15 Jun 2022
Labels Added: ?
avatar richard67 richard67 - labeled - 15 Jun 2022
avatar N6REJ
N6REJ - comment - 15 Jul 2022

I don't know if this is related or not, but I just tried to upload this image and it was refused even though I have everything set correctly
collabnet-versionone-logo
using tiny I was able to user <img src=> to include it in the article however.
image

avatar obuisard
obuisard - comment - 15 Aug 2022

Indeed, there is a problem with SVGs here. Even when the allowed types and mime types are set correctly in the media manager's global configuration (like stated in the previous comment by @N6REJ), it is impossible to add SVGs to the Media manager (via uploads or drag-and-drop). Once the files are added to the images folder via FTP, for instance, the files are visible (without a preview, which is expected for now) and selectable in the article manager or Cassiopeia.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38068.

avatar N6REJ
N6REJ - comment - 16 Aug 2022

@Quy can you tackle this?

avatar N6REJ N6REJ - change - 16 Aug 2022
Labels Added: bug
Removed: ?
avatar N6REJ N6REJ - unlabeled - 16 Aug 2022
avatar N6REJ N6REJ - labeled - 16 Aug 2022
avatar ChristineWk ChristineWk - change - 17 Aug 2022
Title
Media Manager SVG File (Feature Request)
Media Manager SVG File
avatar ChristineWk ChristineWk - edited - 17 Aug 2022
avatar ChristineWk ChristineWk - change - 17 Aug 2022
Title
Media Manager SVG File
[4.3] Media Manager SVG File
avatar ChristineWk ChristineWk - edited - 17 Aug 2022
avatar ChristineWk
ChristineWk - comment - 17 Aug 2022

@obuisard: Thanks for your intervention

avatar obuisard
obuisard - comment - 17 Aug 2022

Thank you, Brian @brianteeman. It confirms that it used to work under Joomla 4.0.4. But my tests under Joomla 4.1.5 and 4.2.0 are failing.

avatar obuisard
obuisard - comment - 17 Aug 2022

I am doing more testing on this.
My findings so far:

In Joomla 4.0.4, SVG files can be uploaded EXCEPT if the files start with an XML comment. Once the comment has been removed or moved inside the svg tag, it can be uploaded. This kind of comment is usually added by generators of SVG files.

In Joomla 4.1.5, no file can be uploaded unless they are 'simple' XML files (containing the svg tag and the optional xml declaration). The ones containing additional namespaces or DOCTYPE cannot be uploaded.

So, I see regression.

avatar brianteeman
brianteeman - comment - 17 Aug 2022

Sounds like a issue with the security SVG filter

avatar obuisard
obuisard - comment - 17 Aug 2022

We need to document what is a clean SVG and why some SVG files may be denied upload. SVG files need to be sanitized to avoid all kinds of security issues (cross-site scripting, HTML injections, denial of service - basically any possible attack related to XML documents). Some users may not be aware of it.
And the error message is not helping.

avatar brianteeman
brianteeman - comment - 17 Aug 2022

Its more than that. The svg files used to test the filters when they were added do not work either

avatar brianteeman
brianteeman - comment - 17 Aug 2022

you need to roll back to when it worked and then see what has changed. I have my suspicions but its too late and I had too many beer to try

avatar obuisard
obuisard - comment - 17 Aug 2022

Yes @brianteeman, thank you!

avatar obuisard
obuisard - comment - 18 Aug 2022

The major difference I see is that in 4.0 the content of the files was scanned for specific html/xml tags. In more recent versions, a sanitizer is used instead (from vendor 'enshrined'). It's the same one used in Nicholas K. Dionysopoulos's plugin for Joomla 3 (https://github.com/nikosdion/joomlasvg).

The new sanitizer checks the SVG files and returns a clean version or false (the file could not be parsed).
(this sanitizer covers more potential issues than the parser used to in Joomla 4.0, hence the restricted number of files allowed now).

The sanitizer reports what issues have been addressed during sanitization. We use it in 4.2, for instance, to see if there are issues with the file.

Based on my review of the MediaHelper code in 4.2,

if ($isValid === false || count($svgErrors))

should be

if ($isValid === false)

However, we do need to use the cleaned file if we do so.

So the question here is:
should we parse the file and invalidate it if there are issues (like it does work now) or should we allow the cleaned version of the file? This may have been discussed already. If we keep it as it is, we should report the issues to the user, for better feedback on why the file was not uploaded.

Another issue involves the error messages from the MediaHelper never showing because all is caught is JLIB_MEDIA_ERROR_UPLOAD_INPUT when returning from the LocalAdapter's canUpload function.

avatar N6REJ
N6REJ - comment - 18 Aug 2022

Incase it helps here's 2 inkscape svg files. One is in "save as inkscape svg" and the other is "save as svg"
Bearsampp-logo-128x128
Bearsampp-logo-inkscape

avatar obuisard
obuisard - comment - 18 Aug 2022

I am going to write a PR that fixes the messaging that appears when the upload fails.
Another PR should be created to give the option to the administrator to sanitize SVG files rather than just scanning them for issues.

avatar Fedik
Fedik - comment - 19 Aug 2022

I have added better messenging, Please test #38536

avatar level420
level420 - comment - 28 Oct 2022

For joomla 4.2.4 I was not able to upload any svg image even with all settings for the media manager

Allowed extensions: svg
Legal Image Extensions: svg
Legal MIME Types: image/svg+xml

Any progress on this issue?

avatar Orgoth
Orgoth - comment - 11 Jul 2023

For joomla 4.3.2 it is the same.

Allowed extensions: svg
Legal Image Extensions: svg
Legal MIME Types: image/svg+xml

Had to upload the files via sftp, the media manager blocks any attempt.
Message by the Manager: File can not be uploaded. "Datei kann nicht hochgeladen werden."


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38068.

avatar obuisard
obuisard - comment - 11 Jul 2023

For joomla 4.3.2 it is the same.

Allowed extensions: svg Legal Image Extensions: svg Legal MIME Types: image/svg+xml

Had to upload the files via sftp, the media manager blocks any attempt. Message by the Manager: File can not be uploaded. "Datei kann nicht hochgeladen werden."

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38068.

This can still happen. SVG files are checked upon upload and if there is anything in the file that is considered harmful, the file will be rejected. You need to make sure the SVG file has been sanitized before use.

avatar Orgoth
Orgoth - comment - 11 Jul 2023

For joomla 4.3.2 it is the same.
Allowed extensions: svg Legal Image Extensions: svg Legal MIME Types: image/svg+xml
Had to upload the files via sftp, the media manager blocks any attempt. Message by the Manager: File can not be uploaded. "Datei kann nicht hochgeladen werden."
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38068.

This can still happen. SVG files are checked upon upload and if there is anything in the file that is considered harmful, the file will be rejected. You need to make sure the SVG file has been sanitized before use.

I have create the svg with inkscape, I have assumed, it would already be sanitized.

avatar obuisard
obuisard - comment - 11 Jul 2023

I have create the svg with inkscape, I have assumed, it would already be sanitized.

Actually, no.
If you saved it via Inkscape, chances are the file is full of namespace tags added by the editor, unless you have saved your file as 'plain SVG'.

avatar Orgoth
Orgoth - comment - 11 Jul 2023

I tested a SVGOMG optimized file and it worked.
Thank you very much for this hint.
It would be good if this could be described better.
Since just the message alone is not helpful at all.

Instead of this message: "File cannot be uploaded."
Would be better to add the addition that the user should check if the file is sanitized.

Some hint would be really helpful, otherwise there will be a lot more users like me who stumble across this problem and then open completely unnecessary new tickets.
It's even worse with pagebuilders like Yootheme or SPPB, where there's no feedback at all, just an empty popup.
Which suggests that there is a problem with the notification not being communicated correctly to the outside world.

Regardless, thanks again and a thumbs up from me as well for the answers.

avatar Quy
Quy - comment - 11 Jul 2023

Instead of this message: "File cannot be uploaded." Would be better to add the addition that the user should check if the file is sanitized.

Please test PR #38536.

avatar obuisard
obuisard - comment - 11 Jul 2023

Instead of this message: "File cannot be uploaded." Would be better to add the addition that the user should check if the file is sanitized.

Please test PR #38536.

Yes, please test, it will help getting it included in the 4.3.4 release next month. Thank you!
If you need help on how to test, please refer to https://docs.joomla.org/Bug_Tracking_Process

avatar alikon alikon - change - 11 Jul 2023
Status New Closed
Closed_Date 0000-00-00 00:00:00 2023-07-11 17:48:53
Closed_By alikon
avatar alikon alikon - close - 11 Jul 2023
avatar alikon
alikon - comment - 11 Jul 2023

closing as we have pr #38536

Add a Comment

Login with GitHub to post a comment