Jens Frank wrote:
On Sat, Sep 10, 2005 at 10:48:48AM +0100, Neil Harris wrote:
Brion Vibber wrote:
I've enabled SVG uploads and rendering.
It might be useful to mention here that Firefox 1.5beta1 now has SVG support compiled in and enabled by default. The implementation is still slightly buggy, but works well enough for content developers to use for testing, to try to shake out as many bugs as possible before 1.5 proper is released.
Since SVG allows the embedding of javascript, we should not deliver SVG's that were uploaded to our users, unless someone provides a reliable javascript remover.
A checker for JavaScript was included in 1.5 branch a couple months back. Of course another look over the code wouldn't hurt!
(We have for some time taken the precaution of serving uploads from a separate subdomain, which should in most cases prevent attacks even if they make it past upload filters; but it may not be complete protection, particular for the sites on *.wikimedia.org domains where there might be a session fixation attack.)
-- brion vibber (brion @ pobox.com)