[wp-trac] [WordPress Trac] #26256: SVG images get width and height attributes with values of 1

WordPress Trac noreply at wordpress.org
Sun Jul 6 14:11:36 UTC 2014


#26256: SVG images get width and height attributes with values of 1
-------------------------------------+------------------------------
 Reporter:  lippe                    |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Media                    |     Version:
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:
-------------------------------------+------------------------------

Comment (by ericlewis):

 Replying to [comment:12 johnbillion]:
 > The main issue is [http://www.acunetix.com/blog/web-security-
 zone/articles/xml-external-entity-xxe-vulnerabilities/ XXE attacks], but
 there are others such as recursive entity expansion bombs.

 Isn't unfiltered html just as dangerous? If a user can be trusted with
 unfiltered html, perhaps they should also be trusted with SVG?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/26256#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list