aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorsmcv <smcv@web>2014-07-04 05:35:57 -0400
committeradmin <admin@branchable.com>2014-07-04 05:35:57 -0400
commit9550d2c92c296e32c40e36c87d7b34492c7749c3 (patch)
treed85cd3236ea53db5451b6e338701f636ec9f06ae /doc
parent2c18086a74ead49dddf6a50e56faf3cb7fdb9f0c (diff)
downloadikiwiki-9550d2c92c296e32c40e36c87d7b34492c7749c3.tar
ikiwiki-9550d2c92c296e32c40e36c87d7b34492c7749c3.tar.gz
yes please
Diffstat (limited to 'doc')
-rw-r--r--doc/todo/upload__95__figure.mdwn10
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/todo/upload__95__figure.mdwn b/doc/todo/upload__95__figure.mdwn
index 52034c21b..d8dd65921 100644
--- a/doc/todo/upload__95__figure.mdwn
+++ b/doc/todo/upload__95__figure.mdwn
@@ -8,3 +8,13 @@ Unfortunately, Github shows [[raw code|https://github.com/paternal/ikiwiki/blob/
--[[Louis|spalax]]
+> Unfortunately SVG can contain embedded JavaScript, so anyone who can
+> upload arbitrary SVG to this wiki can execute JavaScript in its security
+> context, leading to stealing login cookies and other badness. GitHub
+> won't display arbitrary user-supplied SVG for the same reasons.
+>
+> I've seen various attempts to sanitize SVG via a whitelist, but it's
+> just too large a specification to be confident that you're right, IMO.
+>
+> This particular SVG [[looks good to me|users/smcv/ready]] and I've
+> mirrored it in my own git repo. --[[smcv]]