Page MenuHomePhabricator

SVG upload should have more specific error (warning) message when blocking
Closed, ResolvedPublic


Many people (also experienced) are wondering about her SVG get blocked with an incomprehensible warning message: "This file contains HTML or script code that may be erroneously interpreted by a web browser." (in this case I was also called "an SVG expert")


Event Timeline

Perhelion raised the priority of this task from to Needs Triage.
Perhelion updated the task description. (Show Details)
Perhelion added a subscriber: Perhelion.
Perhelion added a project: MediaWiki-Uploading.
Perhelion set Security to None.
Perhelion renamed this task from Show more concrete warning notices when blocking SVG upload to SVG upload should have more specific error (warning) message when blocking.Jan 6 2015, 3:53 PM
Perhelion updated the task description. (Show Details)
Perhelion added a project: UploadWizard.

I guess it's also a security restriction to not run potentially malicious code.

How would you rephrase that warning?

You mean you can't made the message concrete? If you get security through left information is not a good idea. It would be pseudo security as Microsoft it does. :-P

I guess the message is in the same time a bit to restrictive and to unspecific.
The best would be an specific note what is concrete blocked.
If not, add more what could be blocked, as external links for example (which was a concrete given case). External images get unfortunately removed without notice T5537.

Hi, I would like to work on resolving this issue. I am new to WikiMedia and in need of assistance as to how this error can be reproduced. Currently I am looking into how concrete error messages can be thrown when svg files are uploaded on the server. I would greatly appreciate suggestions on resolving this issue.

@Darkdragon09 the code that does the filtering of "bad" SVGs is in UploadBase.php, the checkSvgScriptCallback function. By reading that code you should find easy ways to write an SVG file that will hit the filter. For example including a <script> element in the SVG file would work.

I hope that helps.

Hi, after going through the source code, I understand that we need to update the checkSvgScriptCallback function, and change it's return type from boolean to array. This array would contain the error messages that need to be returned.

Since this function is referenced only in UploadBase.php and UploadBaseTest.php and used by the class XmlTypeCheck, updating this function should not cause any errors elsewhere. We'll also have to update the XmlTypeCheck class and add a new variable say. "uploadScriptableErrorType" to the class that would store the error message returned by checkSvgScriptCallback function.

The error message stored in "uploadScriptableErrorType" variable can be referenced by detectScriptInSvg function in UploadBase.php and a concrete error message can be returned instead of "uploadscripted" to SpecialUpload.php file. Finally, a concrete error message can be referenced using the Message Class.

I have added concrete error messages to i18n/en.json and their description to qqq.json file and the error messages are getting displayed properly.

Kindly let me know in case I have missed out something and if I am following the right procedure to solve the issue.


Change 194466 had a related patch set uploaded (by Darkdragon09):
SVG upload with specific error (warning) message when blocking

Hi, Can someone review this patch. The patch needs to be reviewed for the content of error messages and their description in qqq.json file.

(Please don't ping after two hours as every message (in Phab and in Gerrit) creates notifications. You can and should ping after a few days if you have not received any reviews. Thank you! :)

Hi, Can someone review the patch submitted for this bug. Would greatly appreciate suggestions to improve the patch.

Link :-

Bawolff claimed this task.
Bawolff added a subscriber: Bawolff.

patch merged. Thanks darkdragon

Change 194466 merged by jenkins-bot:
SVG upload with specific error (warning) message when blocking