SVG Sanitisation

SVGs can hide javascript all over the place - so they are a definite risk to allow them to be added and displayed, and then forked to any wiki.

Luckily we have a couple of promising solutions to explore: 1. Use svg files manually uploaded to the assets folder 1. Use a sanitiser like DOMPurify - github

The simplest and safest solution is to allow the about image plugin to display svgs hosted in the assets folder. These files need to be manually as with any hosted site, and cannot be added unless you are given administrative privileges. Forking a page does not fork the asset.

This gives us most of what we wish for in terms of interactive svg panels - though at the cost of not enabling users of farms to be able to create them. To do that we would need to use a sanitiser like DOMPurify.

# Online research - cure53/DOMPurify: DOMPurify... - - DOMPurify 2.2.9 "Funky Town" - - SVG Sanitizer Test - - darylldoyle/svg-sanitizer: A... -

# Other solutions The following is based on DomPurify bu targeted towards svgs: -

It does not looks as maintained as DomPurify however.