[wp-meta] [Making WordPress.org] #5464: Plugin Directory: Prevent SVN uploads of animated banners and icons
Making WordPress.org
noreply at wordpress.org
Fri Oct 23 06:51:49 UTC 2020
#5464: Plugin Directory: Prevent SVN uploads of animated banners and icons
------------------------------+---------------------
Reporter: Ipstenu | Owner: (none)
Type: defect | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: |
------------------------------+---------------------
Comment (by dd32):
So, I went on a bit of an implementation attempt today here..
I went with attempting to return animated assets like so:
{{{
https://s.w.org/plugins/remove-animation/$plugin/$animated_asset
}}}
That works great for animated Gifs & PNGs (even when saved as .jpg), but
SVGs are quite a bit harder. For standard images, I'm just running them
through `imagecreatefromstring()` and `imagepng()` to output the first
frame.
I've found that appending the following to SVGs tends to work well as
well:
{{{
<script> SVGRoot.pauseAnimations(); </script>
<style>* { animation: none !important; }</style>
}}}
The problem I ran into was that it increases the potential for Javascript
execution on a WordPress.org domain, something that
plugins.svn.wordpress.org & ps.w.org currently protects against, and so
serving those SVGs via s.w.org is a bit too risky for me.
So.. I think the correct way to handle this is just to rip the bandaid off
and block them.
I don't think blocking the SVN commit itself is worth it, just block it at
the plugin directory import step.
Blocking images based on multi-frame is easy enough it seems. SVGs are
more difficult, but we can probably just block on the file containing
`<script`, `animate`, or `animation`. I'm sure there's a few ways around
that though, but if someone can work around that, they deserve a ban
hammer :)
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5464#comment:8>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list