https://bugzilla.wikimedia.org/show_bug.cgi?id=3537
Smallman <m8r-udf...@mailinator.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |m8r-udf...@mailinator.com
--- Comment #13 from Smallman <m8r-udf...@mailinator.com> 2010-05-17 13:40:12
UTC ---
Although the <image> element is disabled for thumbnailing, if the user clicks
on the thumbnail to enlarge the image, or is given a link to an image, the
<image> element is still present.
As SVG's are rendered in firefox, an image with a "xlink:href" to a malicious
image file would still go through. Or at least the user's IP would be revealed.
As an example, see
http://upload.wikimedia.org/wikipedia/commons/archive/9/9b/20100517130343!Kyokuryu-kai.svg
in which you can see the google logo in the background. This is done by adding
<image
xlink:href="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png";
x="-55.373806"
y="-55.316906"
width="1100"
height="1100"
id="image2888" />
All SVGs with "xlink:href" should be marked with some type of warning, or the
"xlink:href" stripped or commented out.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
![http://www.google.com/intl/en_ALL/images/srpr/logo1w.png"](http://www.google.com/intl/en_ALL/images/srpr/logo1w.png"){kind=link}