影像
 
 

809

 

361

javascript.svg

An SVG file that includes JavaScript

Private

區塊
100x100
大小
229 位元組
建立時間
類型
image/svg+xml
Public Domain (PD)
Maren Hachmann 寫於

I guess it's not good that it's executed once I click on 'view'... There doesn't seem to be any page around the 'view' thing.

Or we should have a warning that says 'file contains active contents...'.

Patrick Storz 寫於

I guess it's neither good nor bad, it's just how SVGs are handled by browsers (when viewing an SVG directly browsers will execute embedded scripts).

It's really not more "dangerous" than the rest of the internet. In fact it can be used for good: Inkscape can add JavaScript polyfills to render mesh gradients these days for example (Tav's and Valentin's GSOC work).

The main thing I wanted to check was whether RocketChat would execute the script while previewing the file (which would open the door for somebody to post the link to a file on an external server and they could potentially inject whatever scripts they wanted into the chat page without people being able to avoid it). Luckily that does not happen.

As for showing a warning, I guess we could do that, but it might cause more trouble (cause unwarranted fear) than it's worth (do we have any evidence people try to exploit this?). Also we have to be aware that a Python extension (or any extension for that matter) could possibly be significantly more malicious (as it actually has access to the user's system) and I doubt that people follow the security note on the gallery page (do we actually expect users to be able to read the Python code?).

Maren Hachmann 寫於

Yes, of course.

They can ask someone, for example, if they are unsure...

登入以留下評註!