Improve handling of svg files #7032

alexanderstephan · 2021-10-25T15:56:25Z

Description

This PR adds a sanitizer that enables use of dataURLs for svg Blobs. Right now all files with the MIME-type image/svg+xml are getting converted to a application/octet-stream, which breaks the lightbox view.

How it currently looks like:

How it should look like:

A proper lightbox is displayed.

Security

It also fixes a security issue where SVGs can be forwarded to e2e encrypted rooms and possibly steal the encryption keys.

I would highly appreciate feedback regarding the use of DOMPurify. Especially the way I make tags work with the sanitizer. I did this because during my testing many SVG made heavy use of them.

Related issues

The idea of using DOMPurify was originally mentioned here as I found out later: element-hq/element-web#2581

I am looking into looking into this specific issue next, but for now it should fix the following issues:

Image preview not working with SVG element-hq/element-web#18526
Full Resolution SVG Fails to Display in E2E Encrypted Rooms element-hq/element-web#15094
sending SVGs fails with null thumbnail element-hq/element-web#10833 (Possibly, the issue lacks a bit of description)

Current status:

I added DOMPurify as a dependency
I implemented and tested sanitizing svgs and opening them in a lightbox
I tested that the thumbnails also work as expected in e2e encrypted rooms
I expanded the comments regarding MIME-type filtering and my implementation
Affirm that a thumbnail is always generated when it should
Review use of DOMPurify
Fix scaling
Prevent preview of large SVGs
Write tests

Signed-off-by: Alexander Stephan alexander.stephan@tum.de

Here's what your changelog entry will look like:

✨ Features

Improve handling of svg files (#7032). Contributed by @alexanderstephan.

Preview: https://61771aa1667ae2e7582564a3--matrix-react-sdk.netlify.app
⚠️ Do you trust the author of this PR? Maybe this build will steal your keys or give you malware. Exercise caution. Use test accounts.

alexanderstephan · 2024-01-20T22:12:20Z

Sadly, not having the time to finish this. Although I might come back to this.

alexanderstephan added 8 commits October 21, 2021 22:13

Fix link to repo

b6c24fb

Add DOMPurify XSS sanitizer

18bcbef

Allow SVG blobs and update related comment

737422c

Merge branch 'matrix-org:develop' into develop

afe23ea

Add SVG sanitizer

d5f138a

Include santizer when encrypting svgs

9b65b65

Add missing new line

c9e330d

Fixed linting issues

3dee112

t3chguy added the T-Enhancement New features, changes in functionality, performance boosts, user-facing improvements label Oct 25, 2021

alexanderstephan added 9 commits October 26, 2021 15:52

Merge branch 'matrix-org:develop' into develop

27b1e9c

Sanitize only svg previews

eb8c788

Merge branch 'matrix-org:develop' into develop

1021786

Fix for decode type

2e148df

Use unknown for data array

05e1143

Merge branch 'matrix-org:develop' into develop

97a3640

Merge branch 'develop' into develop

2f3cffc

Fix linter

9704502

Merge branch 'develop' into develop

5a0f821

MadLittleMods added the Z-Community-PR Issue is solved by a community member's PR label Jun 1, 2022

alexanderstephan closed this Jan 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve handling of svg files #7032

Improve handling of svg files #7032

alexanderstephan commented Oct 25, 2021 •

edited by github-actions bot

Loading

alexanderstephan commented Jan 20, 2024

Improve handling of svg files #7032

Improve handling of svg files #7032

Conversation

alexanderstephan commented Oct 25, 2021 • edited by github-actions bot Loading

✨ Features

alexanderstephan commented Jan 20, 2024

alexanderstephan commented Oct 25, 2021 •

edited by github-actions bot

Loading