administrator could embed the svg images in the ckeditor only with Rich text format. Here are the allowed html tags for embedding svg.
<svg class> <use xmlns:xlink xlink:href>
and Here's the html that is present in the content
<svg><use xlink="http://www.w3.org/1999/xlink" href="#rewards-starburst-dollar"></use></svg> from <svg><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#rewards-starburst-dollar"></use></svg>
But when administrator view the block the svg and use tags are showing empty. Has anyone fixed this issue of SVG tag before?

There are security risks involved by giving the permissions to upload the images.
https://security.stackexchange.com/questions/11384/exploits-or-other-sec...

CommentFileSizeAuthor
#5 drupal.png147.48 KBSumit kumar
#2 2897119-2.patch5.11 KBnaveenvalecha
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

naveenvalecha created an issue. See original summary.

naveenvalecha’s picture

naveenvalecha
He/Him
Primary language Hindi
CreditAttribution: naveenvalecha as a volunteer commented
Status: Active » Needs review
FileSize
2897119-2.patch5.11 KB

here's the failing test.

naveenvalecha’s picture

naveenvalecha
He/Him
Primary language Hindi
CreditAttribution: naveenvalecha as a volunteer commented 
+++ b/core/modules/ckeditor/tests/src/Functional/CKEditorSvgTagTest.php
@@ -0,0 +1,116 @@
+//    $edit['body[0][format]'] = 'svg_format';

The format select list is not showing on the /node/add/article page. Is there any additional permission required ?

naveenvalecha’s picture

naveenvalecha
He/Him
Primary language Hindi
CreditAttribution: naveenvalecha as a volunteer commented
Status: Needs review » Needs work

N/W for #3. Also failing test is not complete.

Sumit kumar’s picture

Sumit kumar CreditAttribution: Sumit kumar commented
FileSize
drupal.png147.48 KB

@naveenvalecha Thanks for you contribution

I had tested your patch its apply successfully but i did't get any result from it.

i had run another svg code (as per my understanding of this issue ) and its run successfully for more referance please see the attached image 

<svg width="100" height="100">
   <circle cx="50" cy="50" r="40" stroke="green" stroke-width="4" fill="yellow" />
   Sorry, your browser does not support inline SVG.
</svg>

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Title: Ckeditor is stripping the svg tag » CKEditor is stripping the svg tag
Category: Bug report » Feature request
Status: Needs work » Postponed (maintainer needs more info)

You do know that user-uploaded SVGs are potentially security holes?

naveenvalecha’s picture

naveenvalecha
He/Him
Primary language Hindi
CreditAttribution: naveenvalecha as a volunteer commented
Issue summary: View changes

#7,
yup, we are aware of the security risks involved here.

Sumit kumar’s picture

Sumit kumar CreditAttribution: Sumit kumar at Srijan | A Material+ Company for Srijan | A Material+ Company commented
Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented

So how do you propose changing this in Drupal core without introducing security risks?

Also, isn't this something that needs changes upstream, in CKEditor?

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Status: Postponed (maintainer needs more info) » Closed (works as designed)
mgifford’s picture

mgifford
he/him
Primary language English
CreditAttribution: mgifford at OpenConcept Consulting Inc. commented

I added this issue to the CKEditor issue queue https://github.com/ckeditor/ckeditor-dev/issues/1774

Still doesn't deal with the security issue.