https://bugzilla.wikimedia.org/show_bug.cgi?id=3537
Smallman <m8r-udf...@mailinator.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m8r-udf...@mailinator.com --- Comment #13 from Smallman <m8r-udf...@mailinator.com> 2010-05-17 13:40:12 UTC --- Although the <image> element is disabled for thumbnailing, if the user clicks on the thumbnail to enlarge the image, or is given a link to an image, the <image> element is still present. As SVG's are rendered in firefox, an image with a "xlink:href" to a malicious image file would still go through. Or at least the user's IP would be revealed. As an example, see http://upload.wikimedia.org/wikipedia/commons/archive/9/9b/20100517130343!Kyokuryu-kai.svg in which you can see the google logo in the background. This is done by adding <image xlink:href="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" x="-55.373806" y="-55.316906" width="1100" height="1100" id="image2888" /> All SVGs with "xlink:href" should be marked with some type of warning, or the "xlink:href" stripped or commented out. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l