[wp-meta] [Making WordPress.org] #1616: Remote CSS: Allow data URIs in CSS properties
Making WordPress.org
noreply at wordpress.org
Sat Mar 5 04:16:45 UTC 2016
#1616: Remote CSS: Allow data URIs in CSS properties
--------------------------+------------------
Reporter: ryelle | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: wordcamp.org | Resolution:
Keywords: has-patch |
--------------------------+------------------
Comment (by ryelle):
SVGs used as images, like css background-images, should have javascript
disabled by browsers. [https://developer.mozilla.org/en-
US/docs/Web/SVG/SVG_as_an_Image mdn outright says this for Gecko], while
[https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf
this presentation] makes the claim that svgs as images "''should'' not
execute JavaScript"... however I can't find any definitive guide saying
that each browser definitely does or not.
FWIW, I've tried adding JS to an SVG image and it's not executing.
> Note that svg with malicious script on a different domain has the domain
problem. Data uri, not so much.
I hadn't thought of that, so it's worth making sure.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/1616#comment:2>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list