Kornel

2 years ago

Kornel
2 years ago

SVG images aren’t just images, they’re documents and it’s not safe to serve random people’s svg images on your website.

Here’s a tool that fixes it, and sanitizes #SVG #images to make them as innocent as a JPEG:
github.com/cloudflare/svg-hush

(In #Rustlang, of course)

GitHub - cloudflare/svg-hush: Make it safe to serve untrusted SVG files

Make it safe to serve untrusted SVG files. Contribute to cloudflare/svg-hush development by creating an account on GitHub.

^GitHub

in reply to Kornel

Chris 🌱

in reply to Kornel 2 years ago

@federicomena does librsvg sanitize SVG before rendering? I'm thinking of how GTK calls into librsvg to render svg files.

@Federico Mena Quintero

in reply to Chris 🌱

Federico Mena Quintero

in reply to Chris 🌱 2 years ago

No explicit sanitization step, but it has a policy about loading external resources (see the docs), and catches things like circular references and exponential growth in <use>.

in reply to Federico Mena Quintero

Federico Mena Quintero

in reply to Federico Mena Quintero 2 years ago

policy for references: gnome.pages.gitlab.gnome.org/l…

Rsvg.Handle

Reference for Rsvg.Handle

^{gnome.pages.gitlab.gnome.org}

in reply to Federico Mena Quintero

Federico Mena Quintero

in reply to Federico Mena Quintero 2 years ago

limits to catch explosion of elements: gitlab.gnome.org/GNOME/librsvg…

src/limits.rs · main · GNOME / librsvg · GitLab

A library to render SVG images to Cairo surfaces. GNOME uses this to render SVG icons. Outside of GNOME, other desktop environments use it for similar purposes. Wikimedia...

^GitLab

⇧

Kornel 2 years ago • •

Kornel
2 years ago