Image
 
 

814

 

368

javascript.svg

An SVG file that includes JavaScript

Private

Area
100x100
Size
229 bytes
Created
Type
image/svg+xml
Public Domain (PD)
Maren Hachmann wrote :

I guess it's not good that it's executed once I click on 'view'... There doesn't seem to be any page around the 'view' thing.

Or we should have a warning that says 'file contains active contents...'.

Patrick Storz wrote :

I guess it's neither good nor bad, it's just how SVGs are handled by browsers (when viewing an SVG directly browsers will execute embedded scripts).

It's really not more "dangerous" than the rest of the internet. In fact it can be used for good: Inkscape can add JavaScript polyfills to render mesh gradients these days for example (Tav's and Valentin's GSOC work).

The main thing I wanted to check was whether RocketChat would execute the script while previewing the file (which would open the door for somebody to post the link to a file on an external server and they could potentially inject whatever scripts they wanted into the chat page without people being able to avoid it). Luckily that does not happen.

As for showing a warning, I guess we could do that, but it might cause more trouble (cause unwarranted fear) than it's worth (do we have any evidence people try to exploit this?). Also we have to be aware that a Python extension (or any extension for that matter) could possibly be significantly more malicious (as it actually has access to the user's system) and I doubt that people follow the security note on the gallery page (do we actually expect users to be able to read the Python code?).

Maren Hachmann wrote :

Yes, of course.

They can ask someone, for example, if they are unsure...

Please log in to leave a comment!