🚀 Feature: Support of SVG files view with file storage

[kamal951]

🔖 Feature description

You should add the possibility to be able to see SVG files when we do the "view file" request.

For now, it works great for other types like png or jpeg but when we try to see an svg, we have plain text.

🎤 Pitch

This feature should be implemented because SVG files are generally lighter than other types so we could store more images and the perfomances would be better.

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[MarvinJWendt]

If this gets implemented, it should be made sure that there aren't any XSS vulnerabilities, since user uploaded SVGs could potentially execute any JavaScript and steal the appwrite session token, which would grant access to the admin interface.

Reference

And yes, this works with modern browsers too 😉

[SkypLabs]

If this gets implemented, it should be made sure that there aren't any XSS vulnerabilities, since user uploaded SVGs could potentially execute any JavaScript and steal the appwrite session token, which would grant access to the admin interface.

Precisely. I actually stumbled upon this issue while doing research on the way AppWrite handles uploaded files' content type in responses, in particular about SVG files to avoid potential XSS problems.

One way to deal with it is to use a different hostname for accessing uploaded files. This way, the AppWrite's session cookie would not be accessible via JavaScript even if an XSS is triggered.