summaryrefslogtreecommitdiff
path: root/doc/todo/svg.mdwn
blob: 274ebf3e3402bbaa9ba50c408f56a8330a724ca3 (plain) 
We should support SVG.  In particular:


    

  • 

    We could support rendering SVGs to PNGs when compiling the wiki.  Not all browsers support SVG yet.
    

    • 

  • 

    We could support editing SVGs via the web interface.  SVG can contain unsafe content such as scripting, so we would need to whitelist safe markup.
    

      

    • I am interested in seeing svg-edit integrated -- [[EricDrechsel]]
      • 

    

    • 



--[[JoshTriplett]]


[[wishlist]]


I'm allowing for inline SVG on my own installation.  I've patched my
copy of htmlscrubber.pm to allow safe MathML and SVG elements (as
implemented in html5lib).  Here's a patch
if anyone else is interested.
Actually, that patch wasn't quite
right.  I'll post a new one when it's working properly. --[[JasonBlevins]]




I'd like to hear what people think about the following:


    

  1. 

    Including whitelists of elements and attributes for SVG and MathML in
htmlscrubber.
    

    2. 

  2. 

    Creating a whitelist of safe SVG (and maybe even HTML) style
attributes such as fill, stroke-width, etc.
    

    This is how the sanitizer in html5lib works.  It shouldn't be too
hard to translate the relevant parts to Perl.
    

    --[[JasonBlevins]], March 21, 2008 11:39 EDT
    

    3. 





Another problem is that HTML::Scrubber converts all tags to lowercase.
Some SVG elements, such as viewBox, are mixed case.  It seems that
properly handling SVG might require moving to a different sanitizer.
It seems that HTML::Sanitizer has functions for sanitizing XHTML.
Any thoughts? --[[JasonBlevins]], March 21, 2008 13:54 EDT


I figured out a quick hack to make HTML::Scrubber case-sensitive by
making the underlying HTML::Parser case-sensitive:


$_scrubber->{_p}->case_sensitive(1);



So now I've got a version of htmlscrubber.pm (diff)
which allows safe SVG and MathML elements and attributes (but no
styles—do we need them?).  I'd be thrilled to see this
in the trunk if other people think it's useful.
--[[JasonBlevins]], March 24, 2008 14:56 EDT




Unfortuantly these links are broken. --[[Joey]]






Actually, there's a way to embed SVG into MarkDown sources using the data: URI scheme, like this.
Of course, this way to display an image one needs to click a link, but it may be considered a feature.
— [[Ivan_Shmakov]], 2010-03-12Z.




You can do the same with img src actually.


If svg markup allows unsafe elements (ie, javascript),
which it appears to,
then this is a security hole, and the htmlscrubber
needs to lock it down more. Darn, now I have to spend my afternoon making
security releases! --[[Joey]]
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 04:58:51 +0000