And another unfortunate security thing I learned today is that .svg files can... - Random

bert_hubert, 4 months ago

And another unfortunate security thing I learned today is that .svg files can contain JavaScript, and that your browser will happily execute that if someone directly views your image (so not through <img>). This has consequences for anyone hosting user supplied images. Thank you Wander Nauta for pointing this out. The painful story is here: https://github.com/berthubert/trifecta/issues/38

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ fitheach, aiefel, rysiek, jpmens +24 more

Image

Image alternative text

brainsmoke, 4 months ago

@bert_hubert Reminds me of my oldest open bug report https://bugzilla.mozilla.org/show_bug.cgi?id=455100 ( https://pizzadoos.com slash death.svg )

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

+ oblomov

rysiek, 4 months ago

@bert_hubert oh man I am having flashbacks to a particularly bad week several years ago when I had discovered same. :blobcateyes:

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

bert_hubert, 4 months ago

@rysiek just found out they also support iframes...

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...