- **labels**: security, sf-current, sf-2 --> security, sf-2
--- ** [tickets:#8011] Served SVG images can execute JS** **Status:** closed **Milestone:** unreleased **Labels:** security sf-2 **Created:** Mon Oct 26, 2015 03:10 PM UTC by Dave Brondsema **Last Updated:** Mon Oct 26, 2015 04:56 PM UTC **Owner:** Dave Brondsema Since the SVG mime type (`image/svg+xml`) starts with `image/`, the `AttachmentController` lets it be displayed in the browser rather than download. However, SVGs can contain javascript and other insecure components. https://www.hackinparis.com/slides/hip2k11/09-TheForbiddenImage.pdf https://www.w3.org/wiki/SVG_Security --- Sent from forge-allura.apache.org because [email protected] is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
