Kornel

SVG images aren’t just images, they’re documents and it’s not safe to serve random people’s svg images on your website.

Here’s a tool that fixes it, and sanitizes #SVG #images to make them as innocent as a JPEG:
https://github.com/cloudflare/svg-hush

(In #Rustlang, of course)

GitHub - cloudflare/svg-hush: Make it safe to serve untrusted SVG files

Make it safe to serve untrusted SVG files. Contribute to cloudflare/svg-hush development by creating an account on GitHub.

^GitHub

in reply to Kornel

Chris 🌱

in reply to Kornel • 1 year ago • •

@federicomena does librsvg sanitize SVG before rendering? I'm thinking of how GTK calls into librsvg to render svg files.

@Federico Mena Quintero

in reply to Chris 🌱

Federico Mena Quintero

in reply to Chris 🌱 • 1 year ago • •

No explicit sanitization step, but it has a policy about loading external resources (see the docs), and catches things like circular references and exponential growth in <use>.

in reply to Federico Mena Quintero

Federico Mena Quintero

in reply to Federico Mena Quintero • 1 year ago • •

policy for references: https://gnome.pages.gitlab.gnome.org/librsvg/Rsvg-2.0/class.Handle.html#security-and-locations-of-referenced-files

Rsvg.Handle

Reference for Rsvg.Handle

^{gnome.pages.gitlab.gnome.org}

in reply to Federico Mena Quintero

Federico Mena Quintero

in reply to Federico Mena Quintero • 1 year ago • •

limits to catch explosion of elements: https://gitlab.gnome.org/GNOME/librsvg/-/blob/main/src/limits.rs

src/limits.rs · main · GNOME / librsvg · GitLab

A library to render SVG images to Cairo surfaces. GNOME uses this to render SVG icons. Outside of GNOME, other desktop environments use it for similar purposes. Wikimedia...

^GitLab

⇧

Kornel 1 year ago • •

Kornel
1 year ago • •