administrator could embed the svg images in the ckeditor only with Rich text format. Here are the allowed html tags for embedding svg.
<svg class> <use xmlns:xlink xlink:href>
and Here's the html that is present in the content
<svg><use xlink="http://www.w3.org/1999/xlink" href="#rewards-starburst-dollar"></use></svg> from <svg><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#rewards-starburst-dollar"></use></svg>
But when administrator view the block the svg and use tags are showing empty. Has anyone fixed this issue of SVG tag before?
There are security risks involved by giving the permissions to upload the images.
https://security.stackexchange.com/questions/11384/exploits-or-other-sec...
Comment | File | Size | Author |
---|---|---|---|
#5 | drupal.png | 147.48 KB | Sumit kumar |
#2 | 2897119-2.patch | 5.11 KB | naveenvalecha |
Comments
Comment #2
naveenvalechahere's the failing test.
Comment #3
naveenvalechaThe format select list is not showing on the /node/add/article page. Is there any additional permission required ?
Comment #4
naveenvalechaN/W for #3. Also failing test is not complete.
Comment #5
Sumit kumar CreditAttribution: Sumit kumar commented@naveenvalecha Thanks for you contribution
I had tested your patch its apply successfully but i did't get any result from it.
i had run another svg code (as per my understanding of this issue ) and its run successfully for more referance please see the attached image
Comment #7
Wim LeersYou do know that user-uploaded SVGs are potentially security holes?
Comment #8
naveenvalecha#7,
yup, we are aware of the security risks involved here.
Comment #9
Sumit kumar CreditAttribution: Sumit kumar at Srijan | A Material+ Company for Srijan | A Material+ Company commentedComment #10
Wim LeersSo how do you propose changing this in Drupal core without introducing security risks?
Also, isn't this something that needs changes upstream, in CKEditor?
Comment #11
Wim LeersComment #12
mgiffordI added this issue to the CKEditor issue queue https://github.com/ckeditor/ckeditor-dev/issues/1774
Still doesn't deal with the security issue.