Page MenuHomePhabricator

On SVG files' pages, put the bright orange warning telling them it's insecure, like we do for PDFs
Open, LowPublic

Event Timeline

Restricted Application added subscribers: Zppix, Malyacko, Matanya, Aklapper. · View Herald TranscriptJul 1 2016, 2:46 PM
Bawolff added a subscriber: Bawolff.EditedJul 1 2016, 7:18 PM

I'm not sure about this. I think this might cause unnecessary fear relative to the risk factor for an SVG (Particularly once CSP is implemented).

Unlike PDFs, we do try to detect malicious files (albeit, not perfectly), and the type of exploits that malicious pdfs have done are quite a bit worse then what someone can do with a malicious svg in a browser. (barring browser bugs)

Yeah… if we want this, I think we should implement both whitelisting for SVGs (for files that are definitely perfectly safe) and blacklisting (for files that are definitely not safe), and allow files in the grey area in the middle with this warning.

Tgr added a subscriber: Tgr.Jul 19 2016, 1:23 AM
MarkTraceur lowered the priority of this task from Medium to Low.Dec 2 2016, 10:02 PM
MarkTraceur moved this task from Untriaged to Triaged on the Multimedia board.
MarkTraceur added a subscriber: MarkTraceur.

Given uncertainty, lowering priority.