@secretpeej @Mastodon @pixelfed they're already generating all sorts of previews anyway. Might as well just convert SVGs to PNGs.
@secretpeej @rysiek @Mastodon @pixelfed
This was a long-time issue in #gitea as well, where GH did offer SVG support, Gitea did not.
Here's the discussion. I did not look into the PR code, but believe they sanitize the SVG code. There's also a link to possible exploits if not doing that.
@humanetech @secretpeej @Mastodon @pixelfed sanitizing SVG is a fiendishly complicated affair, but it got better since last time I needed to deal with it -- `Content-Security-Policy: script-src 'none'` now exists.
This does require a separate domain/subdomain for hosting SVGs though, complicating deployment.
That's why I think converting server-side is the way to go.
@rysiek @secretpeej @Mastodon @pixelfed
Indeed.
Again, I didn't read the full details, but believe that gitea went with a 'safe enough' approach that does not require a separate (sub)domain.
The last PR at the bottom of the issue has some good details in comments.
@rysiek @Mastodon @pixelfed WordPress also doesn't allow SVG by default, and my understanding is it's because they can contain javascript.