Skip to content

fix: svgs are now being saved#86

Open
battlemag5 wants to merge 2 commits into
ZimengXiong:mainfrom
battlemag5:fix/allow-svg-dataurl
Open

fix: svgs are now being saved#86
battlemag5 wants to merge 2 commits into
ZimengXiong:mainfrom
battlemag5:fix/allow-svg-dataurl

Conversation

@battlemag5
Copy link
Copy Markdown

@battlemag5 battlemag5 commented Mar 3, 2026

This PR is for the proposed solution for the issue: #84

@battlemag3
Allow SVG data URLs in drawing files
71cfc64 
Preserve data:image/svg+xml in file sanitization and add a regression test.
@battlemag5
Copy link
Copy Markdown
Author

battlemag5 commented Mar 3, 2026

Might be related to #49
Not sure if I understood what mindmap is correctly

@ZimengXiong ZimengXiong added bug Something isn't working priority:p2 Important, but not urgent area:import-export Import and export behavior labels Apr 1, 2026
@ZimengXiong ZimengXiong self-requested a review April 2, 2026 21:52
ZimengXiong
ZimengXiong reviewed Apr 2, 2026
View reviewed changes
Comment thread backend/src/security.ts
"data:image/jpg",
"data:image/gif",
"data:image/webp",
"data:image/svg+xml",
Copy link
Copy Markdown
Owner

@ZimengXiong ZimengXiong Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allowing data:image/svg+xml through the sanitizer unconditionally is too broad; SVG payloads need tighter validation than the other image formats here.

A safer approach would be to only preserve SVG data URLs after decoding and validating the SVG content itself, for example by rejecting active content (<script>, event handlers, external references, unsafe foreignObject, etc.) and only allowing a constrained subset back into data:image/svg+xml.

ZimengXiong
ZimengXiong requested changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@ZimengXiong ZimengXiong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Allowing data:image/svg+xml through the sanitizer unconditionally is too broad; SVG payloads need tighter validation than the other image formats here.

A safer approach would be to only preserve SVG data URLs after decoding and validating the SVG content itself, for example by rejecting active content (<script>, event handlers, external references, unsafe foreignObject, etc.) and only allowing a constrained subset back into data:image/svg+xml.

@ZimengXiong ZimengXiong self-assigned this Apr 7, 2026
@battlemag5
Copy link
Copy Markdown
Author

battlemag5 commented Apr 15, 2026

hey @ZimengXiong
Sorry for absence, I'm not well versed in typescript, so I don't think I'll be able to deliver this pr comparatively well

@ZimengXiong
Copy link
Copy Markdown
Owner

ZimengXiong commented Apr 15, 2026 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZimengXiong ZimengXiong ZimengXiong requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@ZimengXiong ZimengXiong

Labels

area:import-export Import and export behavior bug Something isn't working priority:p2 Important, but not urgent

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@battlemag5 @ZimengXiong @battlemag3