upvote

points

by andybak21 hours ago |
comments
upvoteby pupppet17 hours ago|
next
[-]
This is what happens when there isn't an adult in the room to reign things in, you get project overreach. SVGs should never have supported scripting. You want scripting in SVGs, fine, make it a different file format.

I can't imagine the cumulative number of man hours wasted on this problem when the vast majority of users were just looking for a way to make their logos look sharp.

reply
upvoteby thrance16 hours ago|
parent|
next
[-]
Or you can literally just manipulate your SVG through the DOM in an external JS script... I still have no idea what the original motivation behind scripts in SVGs was.
reply
upvoteby zarzavat13 hours ago|
parent|
next
[-]
While SVG is a web technology, for the longest time you had to install SVG support as a browser plug-in. I remember installing Adobe SVG viewer around 2000. It was used for interactive visualizations.

I'm don't remember precisely but I don't think you could script it from the DOM, I don't see how that could work if it's a plugin.

reply
upvoteby bobthepanda16 hours ago|
parent|
prev|
[-]
I imagine it may have been attractive to those who liked Flash.
reply
upvoteby pbhjpbhj5 hours ago|
parent|
next
[-]
I think it may have been the other way (ie attractive to those who didn't like flash) - SVG was seen as a potential flash replacement?
reply
upvoteby oldsecondhand12 hours ago|
parent|
prev|
[-]
OG actionscript was very similar to Javascript. It only started to diverge when type hints were introduced.
reply
upvoteby gsnedders10 hours ago|
parent|
[-]
AS2 was mostly following the direction of ES4 — so it wouldn’t have diverged if it hadn’t been abandoned.
reply
upvoteby NL80711 hours ago|
parent|
prev|
[-]
> SVGs should never have supported scripting.

I would even go further: HTML should never have supported scripting.

reply
upvoteby throwawayqqq118 hours ago|
parent|
[-]
... or third party requests. Scratch the H in HTML and internet tracking would have never happened.
reply
upvoteby philipallstar2 hours ago|
parent|
[-]
You could track people without links. You just couldn't go to other places without links.
reply
upvoteby afavour21 hours ago|
prev|
next
[-]
I think you're right but the lack of industry standard for this kind of thing kills it. People want to be able to take the output of whatever tool they use that exports SVG and put it in a browser. Which isn't an unfair request. But you wouldn't have a guarantee it wouldn't filter out the tool using some obscure SVG functionality.

I'd love to see an agreed standard like OpenGL vs OpenGL ES for SVG. SVG-ES. Everyone agrees on the static, non-scripted elements that should work.

reply
upvoteby varun_ch21 hours ago|
parent|
next
[-]
The way linked SVGs render from within img tags is basically perfect for SVG images (which as I understand is not standardized but is largely the same across browsers). External resources and scripting are blocked while still rendering nearly all SVGs correctly. And of course, any CSS is scoped to the SVG.

If someone formalizes this as a new format, please give it a new name! tvg tiny vector graphics? savg safe vector graphics?

And keep the scope as simple as possible so it actually ships! Don’t try implementing a binary format or something.

reply
upvoteby hackeman30021 hours ago|
parent|
next
[-]
Someone did this already and did call it tinyVG! https://tinyvg.tech/
reply
upvoteby sbrother19 hours ago|
parent|
prev|
next
[-]
Maybe I'm missing something as I am not a frontend developer, but when you embed SVGs in an img tag as part of a Phoenix LiveView or even just a static component, you no longer get the ability to dynamically change paths/fills/colors with events coming from the server. Even if it's as simple as having a shape that you want to fill with a brand/highlight color, which at least for me is a common use case.
reply
upvoteby 5 hours ago|
parent|
prev|
next
[-]
deleted
reply
upvoteby ambicapter21 hours ago|
parent|
prev|
[-]
.rvg, Restricted Vector Graphics?
reply
upvoteby 20 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby bawolff18 hours ago|
prev|
next
[-]
> My first thought is "support a tiny subset of svg that probably still covers 90% of real-world use cases".

It sounds like the linked post was about someone using a blacklist instead of a whitelist. It doesnt matter how tiny your subset is if you allow through stuff you don't recognize.

For the most part svg is safe. The dangerous parts are pretty obvious - script tag, image tag, feImage tag, attributes starting with on, embedding html in <foreignObject>, DTD tricks, namespace tricks, CSS that loads external stuff (keep in mind also presentational attributes. Its not just style attribute/tag).

The rest of it is pretty safe.

reply
upvoteby gardaani5 hours ago|
prev|
next
[-]
W3C has been defining SVG Native, but it hasn't progressed much lately — mostly because there hasn't been any interest in it. SVG Native is a small subset of SVG 2.0 which doesn't support scripting, animations or any external references. https://svgwg.org/specs/svg-native/
reply
upvoteby hackeman30021 hours ago|
prev|
next
[-]
Seems like someone already implemented your idea. https://tinyvg.tech/
reply
upvoteby codedokode9 hours ago|
parent|
[-]
Maybe we could use a subset of SVG or PDF?
reply
upvoteby Avamander18 hours ago|
prev|
next
[-]
There's the SVG Tiny profile that some implementations use, like BIMI/VMCs.
reply
upvoteby harperlee21 hours ago|
prev|
next
[-]
Fwiw I just thought the same, parse (don’t validate) the bits you like and recreate / reject the input.
reply
upvoteby nine_k11 hours ago|
prev|
next
[-]
I would say that a proper sanitizer should remove any attribute that has /https?:/ in it. Maybe it should allow access to a subtree of a blessed domain you control, where stuff like textures is stored.
reply
upvoteby varun_ch21 hours ago|
prev|
next
[-]
I wonder if it would be best if this was at the browser level as some sort of new format. Otherwise surely it would be really slow/cumbersome to deal with these in ‘user space’
reply
upvoteby 0x1ceb00da9 hours ago|
prev|
next
[-]
This is what android does. It has its own vector asset format and android studio has an action for importing svgs.
reply
upvoteby whycome21 hours ago|
prev|
next
[-]
It always seems like any animated svg loses all of the animation after sanitizing
reply
upvoteby RobotToaster7 hours ago|
parent|
next
[-]
A lot of SVG animation uses JS for some reason. It would be interesting to see if sanitisers strip CSS and SMIL animation, I don't see any security reasons to do so.
reply
upvoteby bawolff18 hours ago|
parent|
prev|
[-]
There are 3 different methods of animating svgs so it probably depends.
reply
upvoteby LorenPechtel21 hours ago|
prev|
next
[-]
Yeah, I think that's the real answer.

Look at what Microsoft did with Excel--the dangerous stuff is behind a switch.

Thus, solution:

Add two bits to the tag.

SVG1 does not execute any sort of script.

SVG2 does not follow links.

SVG3 is actually SVG1 + SVG2 as these are bit flags, not numbers.

Additional bits are reserved for future use if any other issues are found.

The only real safety is in the engine, not by any sanitizer.

reply
upvoteby bawolff18 hours ago|
parent|
next
[-]
Which is essentially already how it works. See https://svgwg.org/specs/integration/#secure-animated-mode
reply
upvoteby cachius18 hours ago|
parent|
prev|
[-]
What switch?
reply
upvoteby RobotToaster19 hours ago|
prev|
next
[-]
You'd lose a lot of useful features, like SMIL animation.
reply
upvoteby andybak19 hours ago|
parent|
[-]
But you'd gain adoption. A fair trade.
reply
upvoteby Nursie11 hours ago|
prev|
next
[-]
SVG Tiny PS (Portable Secure) is an attempt at this - https://www.ietf.org/archive/id/draft-svg-tiny-ps-abrotman-0...

Though I think it's still a draft, it does appear to be a requirement for BIMI - https://en.wikipedia.org/wiki/Brand_Indicators_for_Message_I...

reply
upvoteby duped21 hours ago|
prev|
[-]
So if you are building something where you control every SVG ever produced and rendered then this is totally reasonable.

If you ever need to interface with other tools that generate SVG you now need to have a way of essentially transpiling SVG from the wild into your tamed SVGs. Oftentimes this is done by hand, by a software developer and designer (sometimes the same person).

And this is for basic functionality that your designers expect and have trivial controls for in their vector editors, like "add a drop shadow."

The article goes into some issues with sanitization itself, and except for <script> these are a bunch of reasonable things that someone might expect to work or not have issues with. Sandboxing rendering isn't an unreasonable approach if you're not writing the parser and renderer yourself.

reply