Skip to content

edgar-bonet/test-svg-mime

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 

Repository files navigation

Below are two SVG images. The first one contains the text “JavaScript is OFF”, together with a script that changes “OFF” to “ON”. The second one has no JavaScript:

(this is the alt text of the first image) (this is the alt text of the second image)

On GitHub, both images are displayed, served as image/svg+xml from a different domain (raw.githubusercontent.com) with the header “Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox”. Neither Firefox nor Chromium execute the script, even if the image is opened alone, in a new tab.

Gitea has the same behavior, except that the images are served from the same domain. The script is not executed, presumably thanks to the Content-Security-Policy header.

On Gogs, clickable alt texts are displayed instead of the images. Unlike Firefox, Chromium also displays broken-image icons alongside the alt texts.

When clicking on the images, Gitea displays the raw images. GitHub instead displays a “blob” page in “rendered” view. This page contains an iframe served from render.githubusercontent.com, with the image included, as before, from raw.githubusercontent.com. That blob page has buttons for switching between the rendered and source blob views, and a link to the raw file from raw.githubusercontent.com.

When clicking on the alt texts, Gogs displays the raw source of the images (the images served as text/plain).

Tests:

The issue has been reported:

About

Test handling of SVG on git services.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published