Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image/svg MIME breaks browser rendering of SVG files #30967

Closed
PhoenixPeca opened this issue Dec 28, 2019 · 4 comments
Closed

image/svg MIME breaks browser rendering of SVG files #30967

PhoenixPeca opened this issue Dec 28, 2019 · 4 comments

Comments

@PhoenixPeca
Copy link

PhoenixPeca commented Dec 28, 2019
edited
Loading

  • Laravel Version: 6.9.0
  • PHP Version: 7.4

Description:

Hi, I believe there's an issue with PR #30204

Apparently, browsers need the svg files to have the Content-Type: image/svg+xml to render them.

Browsers does not render the "svg" images when we set the Content-Type: image/svg in source links of <img src="..."> and css url('...') as shown in the image:
image

Opening the file directly downloads it immediately.

Steps To Reproduce:

  1. This happens when I used the laravel response method in a route:
return response()->file('/path/logo.svg');
  1. Then use that route as the source link of <img src="..."> or css background-image: url('...');

As mentioned in your description, this MIME only triggers when <?xml ... ?> does not exist.

So i end up with two choices to resolve locally:

  1. I edit each SVG file in my project and add the xml declaration.
  2. I override the content-type header and replace it with Content-Type: image/svg+xml

I recommend that this PR is reverted and set it back to image/svg+xml.. Afterall, SVG files are all based on xml.. I believe there's no need to differentiate.

Update:
Issue may not be caused by PR #30204
@GrahamCampbell
Copy link
Member

Reverting that PR won't fix your issue?

@PhoenixPeca
Copy link
Author

Hi @GrahamCampbell , I just did a quick debug.. Sorry, my mistake... Apparently, my issue did not get resolved when I reverted the PR. Maybe this issue is not directly related with the PR.. can you help identify?

Cheers!

@driesvints
Copy link
Member

Hi there,

Thanks for reporting but it looks like this is a question which can be asked on a support channel. Please only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repo you can try one of the following channels:

However, this issue will not be locked and everyone is still free to discuss solutions to your problem!

Thanks.

@lao9s
Copy link

lao9s commented Sep 10, 2020

Hi @PhoenixPeca,
SVG with JavaScript is a subset of XSS vulnerabilities.
More details you ca see here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@driesvints @GrahamCampbell @lao9s @PhoenixPeca