Joomla-cms: Upload SVG images blocked

Created on 21 Jun 2017  路  19Comments  路  Source: joomla/joomla-cms

Steps to reproduce the issue

Upload SVG image, even if the media manager is accepting it it is blocked.

Expected result

Uploading is working if the media manager that is used accept them (Ark Media in my case).

Actual result

On upload it is blocked by Joomla
Here you can find my post on ArkExtensions where the developer is explaining to me what the problem is.
http://arkextensions.com/technical-support/4954-svg-image-file-type-not-right-on-upload#reply-4958

Additional comments

I understand SVG is a security issue, there it is not my expertise i am happy people make it secure.
But SVG is a really nice way to show logo's and certain images that needs to be great in different sizes.
Is there a way to keep it secure but giving ACL to the upload function so i as super user can upload images?

Thanks!

J3 Issue No Code Attached Yet
Source
picture joris85

All 19 comments

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16795

joomla-cms-bot picture joomla-cms-bot on 21 Jun 2017

closed as duplicated Report of #14356

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795.

ghost picture ghost on 21 Jun 2017

Re-opening. #14356 is specific to com_fields and this is more generic

brianteeman picture brianteeman on 21 Jun 2017
👍1

Looking into this it's caused by line 294 on
libraries/cms/helper/media.php

'xml', 'xmp', '!DOCTYPE', '!--',

to be exact. Each of these is a match within an SVG.

My only thought is to add an exception here if it is an

tonypartridge picture tonypartridge on 11 Jul 2017
👎1

@tonypartridge any Progress on this?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795.

ghost picture ghost on 26 Aug 2017

I tried to go to his site... way uncool
image

N6REJ picture N6REJ on 27 Aug 2017

This might be a viable solution.. https://github.com/darylldoyle/svg-sanitizer

N6REJ picture N6REJ on 27 Aug 2017

@tonypartridge idk where you got that path from.. It doesn't exist in current J! staging.

N6REJ picture N6REJ on 27 Aug 2017

@N6REJ The path has changed for 3.8 I believe. it is now:
/libraries/src/Helper/MediaHelper.php

tonypartridge picture tonypartridge on 31 Aug 2017

As an intermediate step could svg upload/edit support be added in Templates:Customize?

That would have the ACL restrictions for uploading already taken care of. It also allows for the more likely use case of svg's as a template elements rather than end user uploads via media manager.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16795.

genr8r picture genr8r on 30 Oct 2017
👍1

try this: https://github.com/joomla/joomla-cms/pull/13499

dgrammatiko picture dgrammatiko on 30 Oct 2017

As @dgt41 stated, webp is not implemented either so this would be a perfect time to make this happen.

N6REJ picture N6REJ on 1 Nov 2017

why add support for an image format that is not supported on the set of browsers joomla supports

brianteeman picture brianteeman on 1 Nov 2017

Users can deploy Joomla sites with higher requirements than what we offer support for out-of-the-box.

mbabker picture mbabker on 1 Nov 2017

so this would be a perfect time to make this happen

Are we talking for Joomla 3 or 4 here?

dgrammatiko picture dgrammatiko on 1 Nov 2017

@dgt41 thanks for the suggestion. My use case is for uploading and editing svg's within the template manager. I am able to upload but not to edit within the code editor at Templates:Customize. I am not even making a big push for svg inclusion in media manager. I am advocating for the ability to make adjustments to existing svg's as template elements. As I suggested above, inclusion in just templates provides better ACL control than broader implementation and provides for the most likely scenario of using them as template design elements rather than content items.

genr8r picture genr8r on 1 Nov 2017

@genr8r so you need something like: https://github.com/joomla/joomla-cms/pull/14485 and then allowing svg files to be manipulated in the com_template options...

dgrammatiko picture dgrammatiko on 1 Nov 2017

@dgt41 exactly. Just thought other developers might also appreciate this flexibility rather than having to break out an IDE to tweak a color or other parameter on an svg element used in a template. I am sensitive to @brianteeman comments about unsupported image formats and I am aware of the security concerns that svg's introduce. It is just that I am seeing more svg implementation in templates and frameworks (specifically Gantry).

genr8r picture genr8r on 1 Nov 2017

Please test PR #28599.

Quy picture Quy on 7 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

brianteeman picture brianteeman  路  6Comments
mbabker picture mbabker  路  4Comments
joomleb picture joomleb  路  3Comments
MartijnMaandag picture MartijnMaandag  路  6Comments
Hils picture Hils  路  5Comments