We should support SVG. In particular:

  • We could support rendering SVGs to PNGs when compiling the wiki. Not all browsers support SVG yet.

  • We could support editing SVGs via the web interface. SVG can contain unsafe content such as scripting, so we would need to whitelist safe markup.



I'm allowing for inline SVG on my own installation. I've patched my copy of htmlscrubber.pm to allow safe MathML and SVG elements (as implemented in html5lib). Here's a patch if anyone else is interested. Actually, that patch wasn't quite right. I'll post a new one when it's working properly. --JasonBlevins

I'd like to hear what people think about the following:

  1. Including whitelists of elements and attributes for SVG and MathML in htmlscrubber.

  2. Creating a whitelist of safe SVG (and maybe even HTML) style attributes such as fill, stroke-width, etc.

    This is how the sanitizer in html5lib works. It shouldn't be too hard to translate the relevant parts to Perl.

    --JasonBlevins, March 21, 2008 11:39 EDT

Another problem is that HTML::Scrubber converts all tags to lowercase. Some SVG elements, such as viewBox, are mixed case. It seems that properly handling SVG might require moving to a different sanitizer. It seems that HTML::Sanitizer has functions for sanitizing XHTML. Any thoughts? --JasonBlevins, March 21, 2008 13:54 EDT

I figured out a quick hack to make HTML::Scrubber case-sensitive by making the underlying HTML::Parser case-sensitive:


So now I've got a version of htmlscrubber.pm (diff) which allows safe SVG and MathML elements and attributes (but no styles—do we need them?). I'd be thrilled to see this in the trunk if other people think it's useful. --JasonBlevins, March 24, 2008 14:56 EDT

Unfortuantly these links are broken. --Joey

Actually, there's a way to embed SVG into MarkDown sources using the data: URI scheme, like this. Of course, this way to display an image one needs to click a link, but it may be considered a feature. — Ivan Shmakov, 2010-03-12Z.

You can do the same with img src actually.

If svg markup allows unsafe elements (ie, javascript), which it appears to, then this is a security hole, and the htmlscrubber needs to lock it down more. Darn, now I have to spend my afternoon making security releases! --Joey