#14092 closed New feature (wontfix)
ImageField should allow SVG
| Reported by: | graeme | Owned by: | nobody |
|---|---|---|---|
| Component: | Database layer (models, ORM) | Version: | 1.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
A good many browsers now support SVG (and support is planned even for IE), so a good many uses of ImageField need SVG support.
Change History (10)
comment:1 Changed 13 years ago by
| Triage Stage: | Unreviewed → Someday/Maybe |
|---|
comment:2 Changed 13 years ago by
| Severity: | → Normal |
|---|---|
| Type: | → New feature |
comment:5 Changed 11 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
ImageField is raster-oriented:
- it validates common raster formats (JPG and PNG);
- it denormalizes image width and height.
There's little in common between raster and vector handling — at least in the scope of PIL. And SVGs don't have a width and a height expressed in pixel in general. I don't see what ImageField adds to FileField when it comes to SVG files.
comment:6 Changed 8 years ago by
As svg is required more and more often (and sometimes quite unexpectedly), I've made a quick workaround (in django-rest-framework context) to have PIL-based image validation and minimal svg detection for the same FormField:
https://7webpages.com/blog/how-to-have-svg-allowed-as-an-image-for-django-rest-framework/
comment:7 Changed 19 months ago by
Could this be revisited, as SVG is an essential image format for the web.
comment:8 Changed 19 months ago by
Hi Michael.
It's marked Someday/Maybe — so, after all this time, an outline (or proof-of-concept) of how it's addressable would be enough to move it on.
- Did PIL/Pillow gain SVG support?
- Is there another (secure) way forward?
comment:9 Changed 19 months ago by
To do it securely we would probably need to add a dependency - there are libraries that can do this (e.g. scour) but I do not know which one would be best.
It could be an optional dependency (as PIL/Pillow already is).
However, what an SVG can do when displayed using an <img> tag is more limited than if it is inlined or displayed using /iframe/object/embed. To cover just this use case we may need thorough sanitisation. Firefox at least does not run scripts and prevents loading of external elements: https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image
comment:10 Changed 19 months ago by
Is there any third-party package that implements that currently, and could maybe be considered as a candidate for core integration?
This seems like a reasonable request. However, I don't think it is realistic any time in the near future.
The issue here is that Django uses the PIL library to validate that uploaded files really are images. SVG files aren't supported by PIL, so we would have to find some other way to validate them.
The bigger concern about SVG files is the potential security issue. SVG files can contain javascript. A big part of the reason we use image fields in the first place is to make sure we're only allowing users to upload "safe" files that we know we can show other users without danger of XSS or other nastiness. SVG files can't make that promise.
So for now, it is better that we do not allow SVG files to be uploaded as part of an ImageField.