Hacker News new | comments | ask | show | jobs | submit login

An article about rise of SVG with numerous images of SVG drawings, and not a single one of them is an actual SVG :)

Maybe because the publishing platform he uses doesn't support uploading/pasting it (e.g escapes xml).

I have a few projects where allowing users to upload SVG files like other image types would be useful, but SVGs can contain javascript, so allowing straight SVGs is an XSS vulnerability. I don't know what the correct way is to strip javascript out of SVG files. There must be some library which can parse an SVG, keep only whitelisted non-Javascript-containing properties, and write out the file again, but I can't find it. (What does Wikipedia use?)

Perfect, thanks! I looked for a long time before and couldn't find anything that seemed right.

Yeah because sanitizing client side is a great idea.

I don't think the idea is that the sanitization happens on the client when they submit content. The client can do the sanitization when they view content. Often it will make sense for the server to do it, but sometimes not. Imagine you're writing an email client web app against someone else's API, and their API gives you the raw html of email messages that people have sent to you. Then it's the client's job to sanitize that HTML for rendering.

Also you can run that library on the server with node.

yeah, i dunno why they market the lib so heavily for client-side use. but it's 2015 - js is as much server as it is client

Serious question: whats wrong with that?

I think his concern is- since the security program would need to run on the attacker's computer, the attacker may simply opt not to use it, circumvent it. That being said, I don't see why it can't be used to sanitize requests to the server.

Well, if you are worried about xss, that is a case of an attacker's code running on a victim's machine. If they process svgs through the lib before adding them to the dom, that would be one way to prevent the xss attack. This seems to be what DOMPurify are suggesting based on their documentation.

The main reason is that the server is more often than not NOT Javascript based.

...making the irony [of them being a graphics publishing platform outfit] that much thicker

You're right it's the publishing platform, but it is also my laziness. I don't know if it's the Wordpress theme I'm using or the SVG plugin I tried, but I have yet to get fluent at using SVG in this Wordpress blog: ironically it seemed to work fine on desktop but didn't resize well on mobile. I'll give it another try.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact