-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image preview not working with SVG #18526
Comments
For me the preview (thumbnails which are pngs generated from svgs) are working, but not the lightbox (full resolution actual svg). |
Converting it to png for the lightbox is perfectly acceptable, we use a lot of svgs internally and the thumbnails are fine as pngs, people understand what it is. Privacy is understandable, nobody needs vector scaling in an image preview in lightbox.. (preferably when saving the image as it does the svg though, obviously the download button does) |
@alexanderstephan there's some cross site scripting vulnerability in them (see that post above mine), but the thumbnails have worked for me for at least a year (and my entire office can view them fine too) I think of SVG does indeed have that vulnerability it should just be treated as either:
|
Ideally the SVG could be cleared of potentially dangerous things, disallow |
@G2G2G2G Interesting, I asked a lot of people to try it as well, but it did work for none of them yet. But that fits in with my believe that behavior is not consistent right now. I am also wondering why the Lightbox worked for unencrypted Rooms when the vulnerability should be identical. Converting to png would a possible solution, but it might not be ideal, especially for larger images combined with larger screens. Also, thumbnails should not oppose a thread as far I can tell, since the svg is contained within an However, we could just use something like DOMPurify to solve the problem in general. I think this was mentioned in a similiar issue before. |
@alexanderstephan lmao that's hilarious, the lightbox DOES work with unencrypted (non e2e to be 100% clear) rooms. I've tested this since you mentioned it, you can post an svg into a non e2e room and forward it to another room, any type, and lightbox still works there. Massive oversight if their goal truly was to stop all SVGs for some XSS attack @t3chguy (since he posted that in the other thread, might be good to know that the filtering out doesn't actually work) I like your DOMpurify idea. I do not understand the base64 styled attacks etc but from what I read it unfortunately isn't as easy as just deleting all of the "http/s ://" etc.. In inkscape, I use the optimized SVG saving, which uses this to strip out everything: |
@G2G2G2G Nice idea with scour! But I agree, I think we should not alter the data (if not needed for security or to fix malformed code) and also DOMPurify is a project mainly dedicated to enhance security. From what I've seen scour is rather for optimizing performance. So I would prefer DOMPurify for those reasons. I finally had some time again to do some more testing. I actually could reproduce the behavior regarding forwarding. Update: Yep, in order to safely display SVG files within e2e encrypted rooms, it should always get sanitized, or the complete way blob urls are used, must be changed, I think. I just wondered at first whether files would be encrypted in general after being forwarded to e2e rooms, but that does not seem to be the case. It makes sense to me since security is compromised when sending the data for the first time without encryption. I am preparing a PR that proposes a fix for the lightbox issue, it should be ready soon! :) |
@G2G2G2G I played around with using DOMPurify and came up with a Draft PR. DOMPurify actually should be secure by default, even for base64 style attacks. I think the name is a bit misleading, as it actually does more then purifying. It has a very tight security policy and a mailing list, and tries to adress every possible security incident that has occured for SVGs. But I still need to figure out some things, as now the downloaded file gets also sanitized. |
I read that comment in your previous post edit, it doesn't really make sense to me that if it has issues with e2e they shouldn't also be blocked with regular rooms. So yea I agree with running your dompurify draft in all rooms for svgs. |
I have just tried this again, and it now displays both thumbnail and full resolution (presumably the actual svg) in the lightbox for me. An issue seems to be that in contrast to pixel based images, element/electron/chromium doesn't seem to have a proper sense of scale for vector images: the image is displayed bigger than my viewport is, and can't be zoomed. |
Very interesting, but also works for me now (non e2e of course). If you look at the source code of the svg, does at have a specified height and width? If not, what happens if you add it? From my experience this happens when the size can't be inferred from the file. In this case the svg could be limited to a percentage of the windows width e.g., I think. |
svgs aren't like regular images (unfortunately) in browsers, their scale can be all out of whack depending on viewbox and their internal sizes.. |
correct, limited to non-e2ee, I seem to have missed this was pointed out earlier.
The |
Here's a good explanation https://www.geeksforgeeks.org/svg-viewbox-attribute/ the sizes inside of the svg are only relevant to the svg itself.. (but with nothing set the svg sometimes takes the entire space available because some viewboxes are massive)
(a simple svg from mozilla's site, added fill="blue" so it's easier to see on darkmode... save as whatever.svg) The HTML inside of element currently looks like this:
This will fix it, simply adding the height.. or the width.. or both, adding only 1 of them keeps the aspect ratio correct, I'd say height is probably the best, but if it's super wide then it might go off screen, say if it was 100px height and 100000px width lol I guess getting the dimensions of the svg with javascript and then your element screen size with javascript and calculating a good view size would be the best thing so you don't mess up the aspect ratio etc (this is the only way to prevent people from simply making 200byte svgs that take up people's entire screens and annoy them) |
I just came across an event like this in a public room "content": {
"body": "unifiedpush_broad_overview.svg",
"info": {
"h": 1587,
"mimetype": "image/svg+xml",
"size": 28044,
"w": 1123,
"xyz.amorgan.blurhash": "TKI5MT%}56-RtRSh00ng-o?]--xV"
},
"msgtype": "m.image",
"url": "mxc://librepush.net/QagMrijoMYyceCArSDpyUPfo"
} that is: svg, no thumb, yes blurhash. it displays in the timeline just the blurhash. svg works in the lightbox. timeline either fails to render the svg, or does not even try, but it really should. at the same time this image uses black text on a transparent background. this is really illegible, especially with dark mode element. there should be a toggle to add (custom?) background color behind svgs at least in the lightbox. |
Using @G2G2G2G s approach to specify the height works just fine, but the real problem is calculating the blur hash for the preview. I can't seem to get a proper blur hash as calculated in To solve this, my idea was to manually set the Alternatively, one could probably modify the blur hash algorithm itself, but I would like to avoid it. Another alternative would be to not display this kind of SVG again like it was before, just sending it as a file that can be downloaded. |
such a headache, I get some of it when working with svgs on web stuff... I see why so many places embed into font glyphs instead of the svg groups/layers for web images/icons That blurhash doesn't care about aspect ratio at least on their site, it smashes it to a static size and hashes it.. imo good enough for the outcome cuz it looks bad regardless, so idk if it's even worth bothering calculating the thumbnail sizes instead of just 1 static size or whatever. |
Another thing to consider is that blurhash doesn't support transparency which a lot of SVGs rely on - #18054 |
Closing in favour of #15094 which has security background to it. |
Steps to reproduce
What happened?
The lightbox opens up but the image is not shown anywhere
What did you expect?
For the image to be displayed, centered in the lightbox
Operating system
macOs
Browser information
Chrome / Firefox
URL for webapp
develop.element.io
The text was updated successfully, but these errors were encountered: