mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-16 13:20:06 -05:00
Gitea can't render SVG files. #412
Closed
opened 2025-11-02 03:22:20 -06:00 by GiteaMirror
·
61 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#412
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @lcges on GitHub (Mar 1, 2017).
Hello!
Gitea can't render SVG files.
It is a matter of settings?
or
Do not implement functionality?
GITEA:

GITHUB:

@pgaskin commented on GitHub (Mar 1, 2017):
The problem is serving with the wrong mime type.
@arkraft commented on GitHub (Mar 2, 2017):
Right now the mime type is read by calling http.DetectContentType. This does not support the "image/svg+xml" mime type. There was a feature request for this (golang/go#15888), but it seems they won't implement it until it is also implemented in the mimesniff spec (whatwg/mimesniff#7). mime.TypeByExtension supports "image/svg+xml" as it has ".svg" in its built-in table. https://github.com/golang/go/blob/release-branch.go1.6/src/mime/type.go#L35
@lunny commented on GitHub (Mar 2, 2017):
It seems change the code to this will fix the bug.
@pgaskin commented on GitHub (Mar 2, 2017):
My render raw files pull request does exactly this, but tboerger seems to think it is a very big security risk.
@lcges commented on GitHub (Mar 13, 2017):
Hi, this is text about SVG security. Don't worry, GitHub could do it, so can we!
First make sure that we set a good headers safety. The basic HTTP response headers with the SVG file will be:
In addition, the magazine SVG files could be transferred to a separate domain or subdomain that does not require authentication even through mechanisms such as cookies (files can be referenced eg. The GUID, you should also add .svg extension to file names). In such a situation, a successful XSS attack will be much less of a threat.
Then, set up a very strict policy Content Security Policy (CSP) - whether it is for a script that returns the content of vector graphics, or the server that serves SVG files from the directory. Setting the CSP value such as Content-Security-Policy: script-src 'none' turns off the ability to execute scripts for the document (ie malicious graphics, SVG).
SVG files can also be processed on the server and convert to safer raster image formats (eg. PNG). You can also attempt to remove potentially dangerous scripts - for this purpose can be used, eg. Utility SVG Purifier.
As you can see ideas to deal with SVG format is quite a lot, but by far the best option is to use SVG files only by developers and the strict prohibition upload such documents.
Say NO SVG files from an untrusted source.
@lcges commented on GitHub (Apr 13, 2017):
Is there any plans to add support for SVG in the near future?
@lunny commented on GitHub (Apr 13, 2017):
No people are working on this.
@edgar-bonet commented on GitHub (Jun 14, 2017):
I have reported the issue to the Gogs bug tracker, before even knowing about Gitea.
@edgar-bonet commented on GitHub (Jun 15, 2017):
I tried to investigate the issue. I have no solution, but some info that I hope will be helpful:
SVG embedded in markdown
SVG images do not display in rendered markdown. The following
is rendered as
by both Gogs and Gitea. GitHub's rendering is only slightly different: it links to the blob instead of the raw page, it has
target="_blank"instead ofrel="nofollow", and it addsstyle="max-width:100%;"to the img tag. The image, however, is not rendered by the browser (Firefox and Chromium at least) because it is served with the HTTP headerThis is consistent between the three services tested. See my test repo:
SVGs served by GitHub
GitHub has a feature lacking in both Gogs and Gitea: the blob page has buttons for switching between “source blob” and “rendered blob” views, defaulting to the latter. This can be useful since, as stated above, the raw page does not render the image in-browser.
The implementation, however, seems quite complex. The “rendered blob” view uses an iframe pointing to render.githubusercontent.com. This iframe uses JavaScript to generate an
imgelement with a data URL containing the image. Any JavaScript embedded in the SVG is not stripped, but the browser does not interpret it anyway.When serving SVG from raw URLs, GitHub issues a 302 redirect to raw.githubusercontent.com. Following the redirect, the SVG is served with what looks like a lot of security-related headers:
Embedding SVGs containing JavaScript
Testing with my local Web server, I found that neither Firefox nor Chromium would interpret JavaScript embedded in an SVG if that SVG is loaded from an HTML's
imgelement. This could be what makes GitHub's “rendered blob” safe. The JavaScript is however interpreted if the HTML embeds the SVG using aniframe, anembedor anobjectelement.@bkcsoft commented on GitHub (Jun 19, 2017):
Gitea (and Gogs) does not handle multiple domains, which would be a requirement for this. This has been discussed some over at https://github.com/gogits/gogs/issues/1314 . And there's already
?render=1https://github.com/gogits/gogs/issues/2593 that could be used for this if you really want to. As for adding an option to always do this, the answer is currently 'no' since it's a security risk https://github.com/go-gitea/gitea/issues/683@edgar-bonet commented on GitHub (Jun 19, 2017):
Don't the headers
provide a reasonable level of protection against these security risks?
@jonasob commented on GitHub (Oct 26, 2017):
It seems
?render=1doesn't do much, and I even wonder if what I'm trying to do would be solved by this! Here's what I'm trying to do. I have an svg file, which is served by Gitea underhttps://git.fsfe.org/reuse/reuse-ci/raw/master/reuse-compliant.svg
I would like to include this in a README.md as such:
Adding
?render=1doesn't seem to do much of a difference here. I could, and probably will need to, host the svg on a standard website, but it seems silly to spin up a webserver when it's already (in theory) served through Gitea :)@lunny commented on GitHub (Oct 26, 2017):
maybe a client render via javascript.
@bkcsoft commented on GitHub (Oct 29, 2017):
@lunny That is only slightly worse than rendering it directly 🙁
@bluecatchbird commented on GitHub (Jun 21, 2018):
Is somebody still working on this?
@lafriks commented on GitHub (Jun 22, 2018):
@bluecatchbird I don't think so
@fduxiao commented on GitHub (Jul 30, 2018):
You guys can read this, which uses a
?sanitize=trueto get rid of javascript.@kiemrong08 commented on GitHub (Aug 13, 2018):
Markdown in gitea, i cannot display image.
Gitea Version: 280ebcb@lunny commented on GitHub (Aug 13, 2018):
@kiemrong08 please file another issue if you cannot find similar issue.
@ghost commented on GitHub (Aug 13, 2018):
I wasn't aware of of exploits though some are listed here: https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload. Why not just parse out any inline JS—which IMO shouldn't be allowed in SVG anyway—and serve from the same domain inside a sandboxed iFrame?
@stale[bot] commented on GitHub (Jan 14, 2019):
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
@pintman commented on GitHub (Jan 14, 2019):
Issue should be closed if the problem is solved, not by time of inactivity. :-/
@lesderid commented on GitHub (Jan 14, 2019):
Yeah, this new policy is frankly pretty darn stupid.
@lunny commented on GitHub (Jan 16, 2019):
Just closed since no solution currently.
@lesderid commented on GitHub (Jan 16, 2019):
@lunny Why are you closing a valid issue about an often requested feature? Aside from it just not making much sense imo, people who find this project and want to contribute to it probably won't be looking at closed issues, so I'm not sure it's a good idea.
@Oreolek commented on GitHub (Aug 25, 2019):
Why is this issue closed? It's still valid. It's easy to fix if the gitea is an upstream proxy behind a web server, but there's no solution when exposing the gitea itself.
@lunny commented on GitHub (Aug 25, 2019):
The issue was closed by security consider. If somebody could send a PR to fix this without security problem. Send go ahead.
@lesderid commented on GitHub (Aug 25, 2019):
Unless the requested feature is inherently insecure, why close a feature request "for security"? Would you close a feature request for password reset functionality because the easiest implementation (generating a new password and sending it via e-mail) is insecure?
I thought one of the main reasons Gitea forked from Gogs was for the project to be managed more sensibly, but the way issues are being handled lately I'm starting to doubt whether you're serious about it.
@lunny commented on GitHub (Aug 25, 2019):
Sorry for my poor English. But please read above discussion and see the link https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
@lesderid commented on GitHub (Aug 25, 2019):
@lunny
What I'm saying is that this issue doesn't propose any specific implementation. Displaying SVG files can indeed be insecure if implemented naively, but there are ways to display arbitrary SVG files securely, too.
It's useful to have an issue that tracks this feature request, so PRs for a secure implementation can reference it, so potential contributors know this is something they can work on implementing, etc. Closing this issue hides the feature request and could be interpreted as a "won't fix", i.e. that the feature is not wanted, which I'm pretty sure is not the case here.
@davidsvantesson commented on GitHub (Aug 25, 2019):
This comment by @strk in pull request 685 seem to be an accepted solution (I have not seen any objections):
It should correspond to what Github does (raw.githubusercontent.com).
@Oreolek commented on GitHub (Aug 25, 2019):
What exactly is the security concern here? The linked StackOverflow thread is 6 years old, all browsers now don't execute Javascript in SVGs in image context (and we can use CORS header to be sure of that, btw). The memory overflow attacks are browser version-specific and, again, fixed in current browser versions.
@davidsvantesson commented on GitHub (Aug 28, 2019):
What I understand, while javascript could potentially do a lot of harmful, the most concern is that it can steal cookies/credentials from a users accessing the file, since the file is served from the same site as the cookie. That is why having a different domain would solve at least that problem.
GitHubs solution seem to work like this:
So it should be possible for Gitea to do this within the same application by checking if the domain of the URL is ROOT_URL_RAW. It would need good documentation on how to set it up.
@guillep2k commented on GitHub (Aug 28, 2019):
If that's the main concern, perhaps an alternative to a second domain (not always available) is to give cookies a path. So users without the ability to set up different domains, can have Gitea URLs like:
With this in mind, perhaps the admin has three options: 1) disable SVG rendering, 2) enable with alternate path and 3) enable with subdomain.
@lafriks commented on GitHub (Aug 28, 2019):
Or we could create method that returns svg files cleaned up (by removing all script xml tags)
@sapk commented on GitHub (Aug 28, 2019):
An other simple way would be to render them (server side) in an other format like png.
I haven't found go lib to clean svg (only some php that seems to be used in wordpress plugin https://github.com/darylldoyle/svg-sanitizer it self based on a js one https://github.com/cure53/DOMPurify)
@sapk commented on GitHub (Aug 28, 2019):
Those projects contain svg test fixture that could be re-use for a go library.
@lafriks commented on GitHub (Aug 28, 2019):
This could probably be ported to golang
@sapk commented on GitHub (Aug 28, 2019):
We already have a dom parser/sanitizer (https://github.com/microcosm-cc/bluemonday) that could maybe configure to do this.
@davidsvantesson commented on GitHub (Aug 28, 2019):
Wouldn't that already be possible with the external render functionality? SVG can contain for example links that would be lost if rendering them to png.
Although SVG is what most peope want, are there other files that should be possible to view in raw format? Should be better to find a general solution in that case.
@guillep2k commented on GitHub (Aug 28, 2019):
Rendering SVG to PNG will have several drawbacks:
@jcw commented on GitHub (Feb 9, 2020):
I came here because the lack of support for
in Markdown very much surprised me. Here is my example. Given that both the embedding document and the SVG content are part of the same repository, I don't see how a JavaScript security concern affects any of this.Would it be an option to support this kind of SVG embedding if the SVG comes from the same repo?
@lafriks commented on GitHub (Feb 9, 2020):
@jcw problem is that svg can contain JavaScript and someone could create repository with malicious svg file that could be used to attack other users on that server
@jcw commented on GitHub (Feb 9, 2020):
Thanks for clarifying, @lafriks. I'm not a front-end developer, so what follows may be wrong:
I understand and fully respect the fact that this issue is non-trivial. Nevertheless, it might be worth considering moving towards a limited resolution (or perhaps passing the risk on to gitea admins, by having a site config setting as to whether embedded SVG is allowed).
I'm just trying to help find a gentle way out. SVG's scale independence makes it very useful for visual diagrams, given the wide range of screen sizes used to browse on a gitea site.
@alexanderadam commented on GitHub (Apr 7, 2020):
The variant edgar-bonet mentioned sounds very good to me.
JS from inside the image wouldn't have any access to the parent if SVG images would be replaced with an iframe which has the
sandboxattribute (at least for, more or less, any modern Browser).And for the paranoid ones, this feature could be optional, maybe?
Also removing dangerous things were mentioned a few times. I guess the Go library bluemonday is made for exactly this. Furthermore it is already a dependency anyway (it should be updated though because Gitea uses a version from 2016!).
But attackers are sometimes also finding some sanitizer issues (i.e. if projects are using outdated versions 😉 ). So I guess it would make sense to make the sandboxed iframe-solution mandatory to have at least a level of security if the browser works correctly. And I guess it would be a nice bonus if a lib like bluemonday is used additionaly.
@edgar-bonet commented on GitHub (Apr 8, 2020):
A while ago I created a repo just for testing the handling of SVG images in a README file:
Visiting this repo again, I notice that now GitHub does render the inline SVGs. The GitHub issue “Fix relative SVG rendering” has accordingly been closed.
The GitHub solution seems to rely on multiple layers of defence:
<script>elements have been removed@mpfaff commented on GitHub (Apr 18, 2020):
Can allowing unsecure svgs just be made a config option? On a semi-private Gitea instance, it really should matter that svgs aren't "technically" secure, because only people you trust have accounts. In my case, I'd like to be able to embed svgs in README.md files, but Gitea is forcing the mime-type to be set to text/plain.
@jcw commented on GitHub (Apr 18, 2020):
Exactly - that's what I suggested 2 months ago. For precisely the same reason.
@sapk commented on GitHub (Apr 19, 2020):
From testing in #8024 we could use bluemonday to clean-up svg but to be secure (at least in it current state) it need to block some svg functionality like url() linking to some gradient. I suggest we could add a config (SVG_RENDER_METHOD) that would be set to "none" (or reject) by default and can be set to "filtered" (limited set of func) or "insecure" (the raw source).
@alexanderadam commented on GitHub (Apr 19, 2020):
It's not only about trusting the people on your server (or yourself) but also about not using the mirroring feature of gitea. Because you could obviously also mirror a repository that is safe today, but includes a malicious SVG that hijacks your Gitea credentials tomorrow.
Just to be sure: is there any reason against rendering the SVG in a sandboxed iFrame?
Because if I understand this correctly, this is handled like a different domain if the
sandboxattribute is used (it will intentionally always fail same origin policy). Furthermore forms, popups and similar things are blocked as well.So it probably needs "only" a nearly-static page with an iframe that (with transparent background & defined dimensions and alignment, though).
And to clarify this: I'm not against stripping dangerous tags, as mentioned earlier. I just believe that browsers should be pretty secure if used correctly and I guess some smart people implemented the sandbox feature.
@mpfaff commented on GitHub (Apr 19, 2020):
To add to what I'd said earlier, I'd like to see Gitea add a "semi-dangerous" option to allow some svg features, and another "more-dangerous" option with more warnings that allows object tags to enable embedding svgs with fonts, something that can't currently be done with img tags.
@guillep2k commented on GitHub (Apr 21, 2020):
I'd prefer @alexanderadam 's idea of sandboxing the SVGs, via a config on/off setting. Luckily the suggested solutions are not mutually exclusive.
@lhinderberger commented on GitHub (Sep 7, 2020):
This issue is also relevant to Codeberg.org, where there also have been discussion about this: https://codeberg.org/Codeberg/Community/issues/220
One possible solution would be to implement a media proxy as suggested in #916
EDIT: IF that proxy is on another origin, e.g. on a different subdomain.
@jtran commented on GitHub (Nov 25, 2020):
I see that #8024 is closed now due to inactivity. What's the status of that or some other filtering approach? Is anyone still working on that angle?
@Codeberg-org commented on GitHub (Nov 26, 2020):
tbh we would like to see sandboxing for all rendering of user-provided content and previews.
@alexanderadam commented on GitHub (Nov 27, 2020):
I didn't think of it before but of course you're absolutely right. Putting rendered markdown and other content completely within a sandboxed frame also avoids the problem of mapping sizes of the SVG to its containing frame.
PS: Also paths probably have to be still rewritten (for having the SVG within an iFrame) and/or dangerous attributes still removed because users could still be tricked by adding an infographic that you want to see in full screen.
i.e.
It doesn't appear evil, since it's still the same domain and many users probably won't know its implications accessing the SVG directly.
@kdumontnu commented on GitHub (Nov 30, 2020):
Can't we just embed in an
imgtag to disable scripts?@jtran commented on GitHub (Nov 30, 2020):
As far as I can tell from @edgar-bonet's test repo, GitHub doesn't strip
<script>tagsand doesn't serve from a different domain. TheI believe what's happening is that the<img>tag uses a relative URL, so it's the same domain.<img>tag is indeed disabling scripts. When you navigate to the URL of the SVG in your browser, the<script>tag is still there, but the CSP forbids the script execution. Firefox gives me a message about it in the console.Edit: it does serve from a different domain using a 302 redirect.
@jtran commented on GitHub (Dec 1, 2020):
I propose the following changes to close this issue:
<img>tag to load the SVG file, whether this is navigating to the SVG file in the tree or embedding in markdown. Since browsers disallow scripts or other external resources when using an<img>tag, SVG files with scripts are handled. If people don't want to give up the text rendering when navigating to the file in the tree, there can be a new button that toggles between the SVG with the<img>tag and the text, similar to GitHub's blob page.Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox. This is so that when anyone navigates in their browser directly to the raw SVG file, scripts are disallowed.Content-Type: image/svg+xml. This is so that browsers properly display the SVG image when embedded in markdown.What's wrong with this proposed solution? It handles SVG files with embedded script tags, without a separate domain, and makes no assumptions about the trustworthiness of the files. It handles displaying the SVG when navigating in the source tree, going directly to the raw file, and when embedding the raw image file in markdown. It does it without a whitelist of things to filter and without adding any new configuration options. So what am I missing?
@edgar-bonet commented on GitHub (Dec 1, 2020):
@jtran wrote:
The user can bypass this by right-clicking on the image and selecting “View Image” (Firefox) or “Open image in new tab” (Chromium). From what I see on GitHub, it seems that the
Content-Security-Policyheader provides adequate protection in this case.@jtran commented on GitHub (Dec 22, 2020):
Check out PR #14101 where I implemented the above.