[wp-meta] [Making WordPress.org] #1616: Remote CSS: Allow data URIs in CSS properties

Making WordPress.org noreply at wordpress.org
Sat Mar 5 04:16:45 UTC 2016


#1616: Remote CSS: Allow data URIs in CSS properties
--------------------------+------------------
 Reporter:  ryelle        |       Owner:
     Type:  defect        |      Status:  new
 Priority:  normal        |   Milestone:
Component:  wordcamp.org  |  Resolution:
 Keywords:  has-patch     |
--------------------------+------------------

Comment (by ryelle):

 SVGs used as images, like css background-images, should have javascript
 disabled by browsers. [https://developer.mozilla.org/en-
 US/docs/Web/SVG/SVG_as_an_Image mdn outright says this for Gecko], while
 [https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf
 this presentation] makes the claim that svgs as images "''should'' not
 execute JavaScript"... however I can't find any definitive guide saying
 that each browser definitely does or not.

 FWIW, I've tried adding JS to an SVG image and it's not executing.

 > Note that svg with malicious script on a different domain has the domain
 problem. Data uri, not so much.

 I hadn't thought of that, so it's worth making sure.

--
Ticket URL: <https://meta.trac.wordpress.org/ticket/1616#comment:2>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list