Support SVG avatars #4197

Open
opened 2025-11-02 05:42:04 -06:00 by GiteaMirror · 13 comments
Owner

Originally created by @strk on GitHub (Oct 27, 2019).

SVG images are not supported as avatars (cannot be uploaded, reported to "not be an image").
I'm not sure this is a duplicate of #1095 so I'm filing it separately

Originally created by @strk on GitHub (Oct 27, 2019). SVG images are not supported as avatars (cannot be uploaded, reported to "not be an image"). I'm not sure this is a duplicate of #1095 so I'm filing it separately
GiteaMirror added the type/enhancement label 2025-11-02 05:42:04 -06:00
Author
Owner

@lunny commented on GitHub (Nov 2, 2019):

I think it's the same. Since it cannot be rendered safely, we cannot allow it uploaded.

@lunny commented on GitHub (Nov 2, 2019): I think it's the same. Since it cannot be rendered safely, we cannot allow it uploaded.
Author
Owner

@stale[bot] commented on GitHub (Jan 1, 2020):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Jan 1, 2020): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
Author
Owner

@stale[bot] commented on GitHub (Jan 15, 2020):

This issue has been automatically closed because of inactivity. You can re-open it if needed.

@stale[bot] commented on GitHub (Jan 15, 2020): This issue has been automatically closed because of inactivity. You can re-open it if needed.
Author
Owner

@dmolineus commented on GitHub (Jan 22, 2020):

The issue still occurs. Would be great if it get reopen.

@dmolineus commented on GitHub (Jan 22, 2020): The issue still occurs. Would be great if it get reopen.
Author
Owner

@vexvec commented on GitHub (Nov 12, 2021):

@lunny could this issue eventually being resolved by using the method implemented in this pull request https://github.com/go-gitea/gitea/pull/14101?

@vexvec commented on GitHub (Nov 12, 2021): @lunny could this issue eventually being resolved by using the method implemented in this pull request https://github.com/go-gitea/gitea/pull/14101?
Author
Owner

@lunny commented on GitHub (Nov 12, 2021):

I don't know if there is a risk for that.

@lunny commented on GitHub (Nov 12, 2021): I don't know if there is a risk for that.
Author
Owner

@wxiaoguang commented on GitHub (Nov 12, 2021):

Some reference:

@wxiaoguang commented on GitHub (Nov 12, 2021): Some reference: * https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script The SVG script element allows to add scripts to an SVG document. * https://stackoverflow.com/questions/5378559/including-javascript-in-svg Including JavaScript in SVG * `https://github.com/pranav77/XSS-using-SVG-file` * https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Author
Owner

@vexvec commented on GitHub (Nov 12, 2021):

Thanks for the references.
@wxiaoguang
I've looked at the code and found out that it is already implemented. But for an unknown reason it doesn't work. So I think this issue should be considered as a bug.

The error message "The uploaded file is not an image." is the locale value for the variable "uploaded_avatar_not_a_image" which is present in the 2 files "routers/web/repo/setting.go" and "routers/web/user/setting/profile.go".

For an uploaded image there is the following content type check.

st := typesniffer.DetectContentType(data)
if !(st.IsImage() && !st.IsSvgImage()) {
	return errors.New(ctx.Tr("settings.uploaded_avatar_not_a_image"))
}

EDIT: I've found the line where it is rejected. It's the second ! in the function above

@vexvec commented on GitHub (Nov 12, 2021): Thanks for the references. @wxiaoguang I've looked at the code and found out that it is already implemented. But for an unknown reason it doesn't work. So I think this issue should be considered as a bug. The error message "The uploaded file is not an image." is the locale value for the variable "uploaded_avatar_not_a_image" which is present in the 2 files "routers/web/repo/setting.go" and "routers/web/user/setting/profile.go". For an uploaded image there is the following content type check. ```go st := typesniffer.DetectContentType(data) if !(st.IsImage() && !st.IsSvgImage()) { return errors.New(ctx.Tr("settings.uploaded_avatar_not_a_image")) } ``` EDIT: I've found the line where it is rejected. It's the second ! in the function above
Author
Owner

@silverwind commented on GitHub (Mar 17, 2023):

If there is a battle-tested SVG sanitizer available in golang, we could reconsider.

@silverwind commented on GitHub (Mar 17, 2023): If there is a battle-tested SVG sanitizer available in golang, we could reconsider.
Author
Owner

@vexvec commented on GitHub (Mar 17, 2023):

@silverwind I've done a quick search on gh and Google for one, but unfortunately I found just a few simple tag cleaners (removes script tags, so far away from battle tested).

As far as I have seen, the current method for providing security with svgs is by using an adequate content security policy (http header) or (better and) using img tags for displaying the svg image.

Additionally I would suggest that svg uploads must be enabled in the ini config.

I think the gitea admins should be able to decide on their own if they want to use this functionality and eventually have a rest risk of that it can be exploited. For a public instance it can make sense to forbid it, but for private instances the adminis should have the possibility to allow it.

@vexvec commented on GitHub (Mar 17, 2023): @silverwind I've done a quick search on gh and Google for one, but unfortunately I found just a few simple tag cleaners (removes script tags, so far away from battle tested). As far as I have seen, the current method for providing security with svgs is by using an adequate content security policy (http header) or (better and) using img tags for displaying the svg image. Additionally I would suggest that svg uploads must be enabled in the ini config. I think the gitea admins should be able to decide on their own if they want to use this functionality and eventually have a rest risk of that it can be exploited. For a public instance it can make sense to forbid it, but for private instances the adminis should have the possibility to allow it.
Author
Owner

@hramrach commented on GitHub (Aug 19, 2025):

Is there anything remaining to be done here?

@hramrach commented on GitHub (Aug 19, 2025): Is there anything remaining to be done here?
Author
Owner

@malik-n commented on GitHub (Sep 16, 2025):

Is there anything remaining to be done here?

finding a battle-tested SVG sanitizer it seems like

I also wish for this feature, but I understand the concerns for safety

@malik-n commented on GitHub (Sep 16, 2025): > Is there anything remaining to be done here? finding a battle-tested SVG sanitizer it seems like I also wish for this feature, but I understand the concerns for safety
Author
Owner

@hramrach commented on GitHub (Sep 16, 2025):

I see the other issues about SVG avatars were closed as 'completed' but nothing was done there, they are just marked as duplicates.

@hramrach commented on GitHub (Sep 16, 2025): I see the other issues about SVG avatars were closed as 'completed' but nothing was done there, they are just marked as duplicates.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#4197