Opened 14 years ago

Closed 12 years ago

Last modified 2 years ago

#14092 closed New feature (wontfix)

ImageField should allow SVG

Reported by: graeme Owned by: nobody
Component: Database layer (models, ORM) Version: 1.2
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

A good many browsers now support SVG (and support is planned even for IE), so a good many uses of ImageField need SVG support.

Change History (10)

comment:1 by Paul McMillan, 14 years ago

Triage Stage: UnreviewedSomeday/Maybe

This seems like a reasonable request. However, I don't think it is realistic any time in the near future.

The issue here is that Django uses the PIL library to validate that uploaded files really are images. SVG files aren't supported by PIL, so we would have to find some other way to validate them.

The bigger concern about SVG files is the potential security issue. SVG files can contain javascript. A big part of the reason we use image fields in the first place is to make sure we're only allowing users to upload "safe" files that we know we can show other users without danger of XSS or other nastiness. SVG files can't make that promise.

So for now, it is better that we do not allow SVG files to be uploaded as part of an ImageField.

comment:2 by Julien Phalip, 13 years ago

Severity: Normal
Type: New feature

comment:3 by Aymeric Augustin, 13 years ago

UI/UX: unset

Change UI/UX from NULL to False.

comment:4 by Aymeric Augustin, 13 years ago

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:5 by Aymeric Augustin, 12 years ago

Resolution: wontfix
Status: newclosed

ImageField is raster-oriented:

  • it validates common raster formats (JPG and PNG);
  • it denormalizes image width and height.

There's little in common between raster and vector handling — at least in the scope of PIL. And SVGs don't have a width and a height expressed in pixel in general. I don't see what ImageField adds to FileField when it comes to SVG files.

comment:6 by ambivalentno, 9 years ago

As svg is required more and more often (and sometimes quite unexpectedly), I've made a quick workaround (in django-rest-framework context) to have PIL-based image validation and minimal svg detection for the same FormField:

https://7webpages.com/blog/how-to-have-svg-allowed-as-an-image-for-django-rest-framework/

comment:7 by Michael, 2 years ago

Could this be revisited, as SVG is an essential image format for the web.

comment:8 by Carlton Gibson, 2 years ago

Hi Michael.

It's marked Someday/Maybe — so, after all this time, an outline (or proof-of-concept) of how it's addressable would be enough to move it on.

  • Did PIL/Pillow gain SVG support?
  • Is there another (secure) way forward?

in reply to:  description comment:9 by Graeme Pietersz, 2 years ago

To do it securely we would probably need to add a dependency - there are libraries that can do this (e.g. scour) but I do not know which one would be best.

It could be an optional dependency (as PIL/Pillow already is).

However, what an SVG can do when displayed using an <img> tag is more limited than if it is inlined or displayed using /iframe/object/embed. To cover just this use case we may need thorough sanitisation. Firefox at least does not run scripts and prevents loading of external elements: https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image

Last edited 2 years ago by Graeme Pietersz (previous) (diff)

comment:10 by Claude Paroz, 2 years ago

Is there any third-party package that implements that currently, and could maybe be considered as a candidate for core integration?

Note: See TracTickets for help on using tickets.
Back to Top