| DaBPunkt | |
| Nov 1 2015, 3:01 PM |
| F3025116: SVG_with_profile-text.svg | |
| Nov 29 2015, 9:51 PM |
How to reproduce:
How to fix:
Allow URLS in <color-profile>-tags.
Allow URLS in <color-profile>-tags.
Well, URLs are allowed if the URL is local. At least that's what the message implies to me.
I do not think we want to allow remote / non-local URLs due to security reasons (loading random content from a random server into an SVG).
href attribute <color-profile http://www.w3.org/1999/xlink:href="/usr/share/color/icc/compatiblewithadobergb1998.icc">
That looks rather broken (and like a bug in Inkscape) if http://wiki.inkscape.org/wiki/index.php/Adding_color-profile_element is correct.
I do not think we want to allow remote / non-local URLs due to security reasons (loading random content from a random server into an SVG).
AFAIS this is not an URL for downloading, but a URL in the sense of an identifier (so more like a URI). Every SVG contains several of these.
@DaBPunkt: Ping. This ticket is unlikely to progress without your input. Also, is this problem actually specific to commons?
What is expected by me? And no, I guess it is valid for all Wikimedia-wikis; but at Commons it is most urgend.
There is a step-by-step in my first post. Of course I can not upload such a file to commons, because of the error.
Also, from the Commons project description:
Please do not report tasks under this project if the task is not actually specific to Commons but only because you found this problem on Commons. Also see How to report a bug.
So remove it.
Confirming.
The line in the SVG file is <color-profile xlink:href="/usr/share/color/icc/colord/AdobeRGB1998.icc" /> but the error message is
href attributes <color-profile http://www.w3.org/1999/xlink:href="/usr/share/color/icc/colord/adobergb1998.icc"> with non-local target (e.g. http://, javascript:, etc) are not allowed in SVG files.
Wondering what concatenates that URL.
Confirming that the warning appears while using Special:Upload.
I'm not sure a reference to a local file (as in a file stored on your computer) should be allowed. It's not really useful to anyone if you reference a color profile but don't include it. I'm not sure librsvg even considers <color-profile>, I've never included it. Even if it did, you'd have to embed the profile as a data: URL, since the only color profile on the thumbnailers is TinyRGB. A reference to a remote file would not be permitted for security reasons. Requiring color profiles to be embedded or not included at all would be consistent with how we treat all other resources in SVG files.
The warning message is definitely broken though.
I see what's going on here. The SVG contains a namespace definition <svg xmlns:xlink="http://www.w3.org/1999/xlink">, so XmlTypeCheck helpfully expands xlink: to http://www.w3.org/1999/xlink:. That's intentional, as it normalizes the names (so if you called "xlink" "ylink" you wouldn't fool the checker). MediaWiki's automatic linker is then a bit overzealous and includes the attribute and the namespace in the link.
checkSvgScriptCallback doesn't even have the un-expanded namespace available to it, so making it return just `xlink:href" would be way more work than it's worth.
Closing as half invalid (working as intended) and half declined.
