diff options
author | smcv <smcv@web> | 2014-07-04 05:35:57 -0400 |
---|---|---|
committer | admin <admin@branchable.com> | 2014-07-04 05:35:57 -0400 |
commit | 9550d2c92c296e32c40e36c87d7b34492c7749c3 (patch) | |
tree | d85cd3236ea53db5451b6e338701f636ec9f06ae /doc/todo | |
parent | 2c18086a74ead49dddf6a50e56faf3cb7fdb9f0c (diff) | |
download | ikiwiki-9550d2c92c296e32c40e36c87d7b34492c7749c3.tar ikiwiki-9550d2c92c296e32c40e36c87d7b34492c7749c3.tar.gz |
yes please
Diffstat (limited to 'doc/todo')
-rw-r--r-- | doc/todo/upload__95__figure.mdwn | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/todo/upload__95__figure.mdwn b/doc/todo/upload__95__figure.mdwn index 52034c21b..d8dd65921 100644 --- a/doc/todo/upload__95__figure.mdwn +++ b/doc/todo/upload__95__figure.mdwn @@ -8,3 +8,13 @@ Unfortunately, Github shows [[raw code|https://github.com/paternal/ikiwiki/blob/ --[[Louis|spalax]] +> Unfortunately SVG can contain embedded JavaScript, so anyone who can +> upload arbitrary SVG to this wiki can execute JavaScript in its security +> context, leading to stealing login cookies and other badness. GitHub +> won't display arbitrary user-supplied SVG for the same reasons. +> +> I've seen various attempts to sanitize SVG via a whitelist, but it's +> just too large a specification to be confident that you're right, IMO. +> +> This particular SVG [[looks good to me|users/smcv/ready]] and I've +> mirrored it in my own git repo. --[[smcv]] |