Opened 13 years ago

Closed 11 years ago

Last modified 19 months ago

#14092 closed New feature (wontfix)

ImageField should allow SVG

Reported by: graeme Owned by: nobody
Component: Database layer (models, ORM) Version: 1.2
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


A good many browsers now support SVG (and support is planned even for IE), so a good many uses of ImageField need SVG support.

Change History (10)

comment:1 Changed 13 years ago by Paul McMillan

Triage Stage: UnreviewedSomeday/Maybe

This seems like a reasonable request. However, I don't think it is realistic any time in the near future.

The issue here is that Django uses the PIL library to validate that uploaded files really are images. SVG files aren't supported by PIL, so we would have to find some other way to validate them.

The bigger concern about SVG files is the potential security issue. SVG files can contain javascript. A big part of the reason we use image fields in the first place is to make sure we're only allowing users to upload "safe" files that we know we can show other users without danger of XSS or other nastiness. SVG files can't make that promise.

So for now, it is better that we do not allow SVG files to be uploaded as part of an ImageField.

comment:2 Changed 13 years ago by Julien Phalip

Severity: Normal
Type: New feature

comment:3 Changed 12 years ago by Aymeric Augustin

UI/UX: unset

Change UI/UX from NULL to False.

comment:4 Changed 12 years ago by Aymeric Augustin

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:5 Changed 11 years ago by Aymeric Augustin

Resolution: wontfix
Status: newclosed

ImageField is raster-oriented:

  • it validates common raster formats (JPG and PNG);
  • it denormalizes image width and height.

There's little in common between raster and vector handling — at least in the scope of PIL. And SVGs don't have a width and a height expressed in pixel in general. I don't see what ImageField adds to FileField when it comes to SVG files.

comment:6 Changed 8 years ago by ambivalentno

As svg is required more and more often (and sometimes quite unexpectedly), I've made a quick workaround (in django-rest-framework context) to have PIL-based image validation and minimal svg detection for the same FormField:

comment:7 Changed 19 months ago by Michael

Could this be revisited, as SVG is an essential image format for the web.

comment:8 Changed 19 months ago by Carlton Gibson

Hi Michael.

It's marked Someday/Maybe — so, after all this time, an outline (or proof-of-concept) of how it's addressable would be enough to move it on.

  • Did PIL/Pillow gain SVG support?
  • Is there another (secure) way forward?

comment:9 in reply to:  description Changed 19 months ago by Graeme Pietersz

To do it securely we would probably need to add a dependency - there are libraries that can do this (e.g. scour) but I do not know which one would be best.

It could be an optional dependency (as PIL/Pillow already is).

However, what an SVG can do when displayed using an <img> tag is more limited than if it is inlined or displayed using /iframe/object/embed. To cover just this use case we may need thorough sanitisation. Firefox at least does not run scripts and prevents loading of external elements:

Last edited 19 months ago by Graeme Pietersz (previous) (diff)

comment:10 Changed 19 months ago by Claude Paroz

Is there any third-party package that implements that currently, and could maybe be considered as a candidate for core integration?

Note: See TracTickets for help on using tickets.
Back to Top