Even better... it looks like I can point to them from...

Even better... it looks like I can point to them from a regular img tag and the SVG spec has me covered: https://www.w3.org/TR/SVG2/conform.html#secure-static-mode

https://hachyderm.io/@zellyn/113370758350372205

2.2.6. Secure static mode

This processing mode is intended for circumstances where an SVG document is to be used as a non-animated image that is not allowed to resolve external references, and which is not intended to be used as an interactive document. This mode might be used where image support has traditionally been limited to non-animated raster images (such as JPEG and PNG.)
Secure Static Features
script execution no
external references no
declarative animation no
interactivity no

‘image’ references

An SVG embedded within an ‘image’ element must be processed in secure animated mode if the embedding document supports declarative animation, or in secure static mode otherwise.

The same processing modes are expected to be used for other cases where SVG is used in place of a raster image, such as an HTML ‘img’ element or in any CSS property that takes an <image> data type. This is consistent with HTML's requirement that image sources must reference "a non-interactive, optionally animated, image resource that is neither paged nor scripted" [HTML]

Like 26 October at 0:20 | Open on fedi.simonwillison.net

3 comments

Simon Willison

... and it looks like that means I can do an img tag with an src that points to a base64 encoded SVG object and any nasty JavaScript etc will be disabled for me - here's an example which seems to demonstrate that working https://gistpreview.github.io/?03f0076446027b9b12e1ea14315db52b

Screenshot showing three SVG examples demonstrating base64 embedding. Contains heading "SVG Base64 Embedding Demo" followed by three panels: 1) "Simple Sun SVG" showing a yellow circle with rays, labeled "A basic sun shape with rays" 2) "Pelican SVG" showing a gray stylized bird shape, labeled "A stylized pelican shape" 3) "SVG with JavaScript (ignored)" showing a pink square with text "JS Ignored", labeled "SVG with JavaScript that gets ignored when embedded as an image". Footer note states "When SVGs are embedded using img tags with base64 data URIs, any JavaScript or interactive elements are safely ignored by the browser."

26 October at 0:24 | Open on fedi.simonwillison.net

Kevin Marks

@simon right, an img tag sandboxes them. What I do for svgshare.com is both display them as img and also run the svg through python html5lib and remove any script elements. (I also inline it in the upload dialogue so anyone trying to xss me does it to themselves instead). The other approach is what feedparser does and whitelist svg and html elements.

26 October at 2:14 | Open on xoxo.zone

sage

@simon The main downside with this approach is that it doesn't let you style the SVG paths with CSS, which may or may not be necessary depending on your use case

26 October at 1:07 | Open on fosstodon.org

Go Up