-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚀 Feature: Support of SVG files view with file storage #2811
Comments
If this gets implemented, it should be made sure that there aren't any XSS vulnerabilities, since user uploaded SVGs could potentially execute any JavaScript and steal the appwrite session token, which would grant access to the admin interface. And yes, this works with modern browsers too 😉 |
Precisely. I actually stumbled upon this issue while doing research on the way AppWrite handles uploaded files' content type in responses, in particular about SVG files to avoid potential XSS problems. One way to deal with it is to use a different hostname for accessing uploaded files. This way, the AppWrite's session cookie would not be accessible via JavaScript even if an XSS is triggered. |
🔖 Feature description
You should add the possibility to be able to see SVG files when we do the "view file" request.
For now, it works great for other types like png or jpeg but when we try to see an svg, we have plain text.
🎤 Pitch
This feature should be implemented because SVG files are generally lighter than other types so we could store more images and the perfomances would be better.
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: