Comments (9)
Good point, allowing svg is a must have! Feel free to do a PR (you can even do this with the Github editor).
from upload.
I love SVGs but they also bring wide range of vulnerabilities. When inserted as an image, the contained scripts will not be executed but once the image is uploaded on the server, user just needs to be convinced to visit the link for havoc to be wrought.
from upload.
With great features come vulnerabilities, but that should be decided by the forum admin by allowing the svg mimetype or not. It would be nice though to be able to choose whether images are inserted as images or as links.
from upload.
I agree that admins should have say in this but if flagrow/upload
is striving to be a secure software, it should
- inform the user about possible consequences, and
- try to mitigate the risk (at least by using SVG sanitizer).
Either way, security minefields should not be enabled by default.
from upload.
@jtojnar thanks for that link I think it would make for a great optional add-on feature. A solution for now would be to add a settings input field that would allow configuration of mime types being shown as images. Wouldn't that solve this all together?
from upload.
@luceos Showing the SVGs as images (via img
tag) is actually safe. The issue occurs when the uploaded file is visited directly.
from upload.
I've merged the PR but adding SVG sanitizer makes sense.
from upload.
maybe it can be possible to force some specified extension (like svg) be download via php with Content-Disposition: attachment
header. it might be aslo possible achieve same thing using .htaccess
for Apache.
from upload.
Resolved in 1.2.3
from upload.
Related Issues (20)
- MapFilesCommand triggers error with double prefix in table names.
- AWS S3 Error: Undefined constant GuzzleHttp\ClientInterface::VERSION in /flarum/app/vendor/aws/aws-sdk-php/src/functions.php:265 HOT 1
- 500 错误 HOT 7
- Cleanup for imgur uploads does not work
- Check MIME type & file size before upload
- PDF files are not displayed HOT 1
- `--cleanup` can not cleanup the file correctly
- Show 500 error when user uploads a file size larger than limited file size in backend HOT 2
- Request: ENV variables
- Remove file on 3s storage when deleting a file in manage uploaded files HOT 2
- Request: test s3 upload in admin
- Copy paste images HOT 1
- Cleanup CLI command logic deletes all files using "Default File Download Template" HOT 2
- Upload your watermark image is not work HOT 3
- Enable watermark images, uploader is not placed the processed image to the editor's content HOT 3
- Members cannot delete their own files HOT 2
- No hint path defined for [another-extension-i-added] HOT 3
- Load More Files does not work as expected
- Can't install on PHP 8.2 HOT 2
- Feature Request: File Download Template without proxy download and instead using CDN URL
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from upload.