SECURITY: Prevent external resources in SVG files
On bug 65724, it was discovered that a user could upload SVG images
with embedded <image> elements that pulled in the resource via http.
This could allow an attacker to track all viewers of an SVG by having
the image embed another image hosted on their own server.
While testing the patch, I also identified 3 more element namespaces
that have been used on commons and seem harmless, so I added those to
the whitelist.
Change-Id: Iaaabc3a60c0ec4e6e426a8680d7a2cef5d469d29
dépôts / lhc / web / wiklou.git / commit