uploading SVG images fails about upload HOT 9 CLOSED

Good point, allowing svg is a must have! Feel free to do a PR (you can even do this with the Github editor).

from upload.

I love SVGs but they also bring wide range of vulnerabilities. When inserted as an image, the contained scripts will not be executed but once the image is uploaded on the server, user just needs to be convinced to visit the link for havoc to be wrought.

from upload.

With great features come vulnerabilities, but that should be decided by the forum admin by allowing the svg mimetype or not. It would be nice though to be able to choose whether images are inserted as images or as links.

from upload.

I agree that admins should have say in this but if flagrow/upload is striving to be a secure software, it should

1. inform the user about possible consequences, and
2. try to mitigate the risk (at least by using SVG sanitizer).

Either way, security minefields should not be enabled by default.

from upload.

@jtojnar thanks for that link I think it would make for a great optional add-on feature. A solution for now would be to add a settings input field that would allow configuration of mime types being shown as images. Wouldn't that solve this all together?

from upload.

@luceos Showing the SVGs as images (via img tag) is actually safe. The issue occurs when the uploaded file is visited directly.

from upload.

I've merged the PR but adding SVG sanitizer makes sense.

from upload.

maybe it can be possible to force some specified extension (like svg) be download via php with Content-Disposition: attachment header. it might be aslo possible achieve same thing using .htaccess for Apache.

from upload.

Resolved in 1.2.3

from upload.