Relax aggressive checkSvgScriptCallback() in UploadBase.php which prevents upload of some script-less Inkscape SVGs
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	Nathanal
	Aug 5 2021, 3:33 AM

Description

Originally reported in Inkscape's bugtracker at https://gitlab.com/inkscape/inbox/-/issues/5395 by rebio

Download
example_file.svg7 KBDownload
(or create an Inkscape svg file, with a path with an Fillet/Chamfer LPE applied)
Login to Wikimedia commons
Try to upload the svg to Wikimedia Commons https://commons.wikimedia.org/wiki/Special:UploadWizard

What happens?:

Upload failed, with the following warning
- Found event-handler attribute only_selected="false" in uploaded file.

What should have happened instead?:

No error.

Marc Jeanmougin identified the problem in https://gitlab.com/inkscape/inbox/-/issues/5395#note_637538360 :

This is caused by the check on https://github.com/wikimedia/mediawiki/blob/master/includes/upload/UploadBase.php#L1670 [(https://github.com/wikimedia/mediawiki/blob/de91a0db45eaf31b57873b9d22aceaaa3d1be09a/includes/upload/UploadBase.php#L1670)] being WAY too aggressive : they check for any properties starting with "on" (reasonable given the list of properties in https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers ) in any element from any namespace which is the part that makes no sense : things in a <inkscape:path-effect> element will not get processed by a browser so there is no reason to clear its properties.

Details

	Subject	Repo	Branch	Lines +/-
	upload: Allow attributes starting with "on" in inkscape SVG namespace	mediawiki/core	master	+103 -2

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T44725 Multimedia file format support (tracking)
		Resolved	BUG REPORT	TheDJ	T288186 Relax aggressive checkSvgScriptCallback() in UploadBase.php which prevents upload of some script-less Inkscape SVGs

Event Timeline

Nathanal created this task.Aug 5 2021, 3:33 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 5 2021, 3:33 AM

Nathanal updated the task description. (Show Details)Aug 5 2021, 3:38 AM

Aklapper renamed this task from checkSvgScriptCallback too aggressive, preventing upload of some script-less Inkscape svgs. to Relax aggressive checkSvgScriptCallback() in UploadBase.php which prevents upload of some script-less Inkscape SVGs.Aug 5 2021, 8:19 AM

Aklapper added a project: MediaWiki-Uploading.

El_Grafo added a parent task: T44725: Multimedia file format support (tracking).Sep 29 2022, 10:46 AM

Change 876015 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] Allow attributes starting with on in inkscape namespace

https://gerrit.wikimedia.org/r/876015

gerritbot added a project: Patch-For-Review.Jan 5 2023, 9:24 PM

Change 876015 merged by jenkins-bot:

[mediawiki/core@master] upload: Allow attributes starting with "on" in inkscape SVG namespace

https://gerrit.wikimedia.org/r/876015

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.23; 2023-02-13).Feb 13 2023, 1:00 AM

Maintenance_bot removed a project: Patch-For-Review.Feb 13 2023, 1:30 AM

TheDJ closed this task as Resolved.Mar 6 2023, 8:30 PM