What is it with fedi server software (looking at you, @Mastodon and @pixelfed ) not accepting SVG image uploads?..

@rysiek @Mastodon @pixelfed WordPress also doesn't allow SVG by default, and my understanding is it's because they can contain javascript.


@secretpeej @Mastodon @pixelfed they're already generating all sorts of previews anyway. Might as well just convert SVGs to PNGs.

· · Web · 1 · 0 · 1

@secretpeej @rysiek @Mastodon @pixelfed

This was a long-time issue in #gitea as well, where GH did offer SVG support, Gitea did not.

Here's the discussion. I did not look into the PR code, but believe they sanitize the SVG code. There's also a link to possible exploits if not doing that.


@humanetech @secretpeej @Mastodon @pixelfed sanitizing SVG is a fiendishly complicated affair, but it got better since last time I needed to deal with it -- `Content-Security-Policy: script-src 'none'` now exists.

This does require a separate domain/subdomain for hosting SVGs though, complicating deployment.

That's why I think converting server-side is the way to go.

@rysiek @secretpeej @Mastodon @pixelfed


Again, I didn't read the full details, but believe that gitea went with a 'safe enough' approach that does not require a separate (sub)domain.

The last PR at the bottom of the issue has some good details in comments.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!