Last modified: 2012-02-21 11:12:07 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4388 - Forbidding TITLE elements in uploaded SVG files is overkill
Forbidding TITLE elements in uploaded SVG files is overkill
Product: Wikimedia
Classification: Unclassified
SVG rendering (Other open bugs)
All All
: Normal normal with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2005-12-26 04:33 UTC by AnonMoos
Modified: 2012-02-21 11:12 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description AnonMoos 2005-12-26 04:33:36 UTC
If you attempt to upload an SVG file with a TITLE.../TITLE element in it, the software currently 
gives you a cryptic error message (and aborts the upload process in such a manner that the 
information previously entered into the upload form is irretrievably lost, so that you have to start 
from scratch in order to try again).

Unfortunately, the formal SVG standard _recommends_ that every SVG document should have a TITLE 
element, which "serves the purposes of identifying the content of the given SVG document fragment" - 
and in fact the TITLE element is the quickest and easiest way of including document metadata (for 
exmple, the contents of the overall TITLE element will be displayed in the window title bar when 
using the Adobe SVG viewer plugin).

Furthermore, according to the SVG grammar, an SVG file can contain multiple TITLE.../TITLE elements 
annotating each subsection, and this is an essential part of the "SVG Content Accessibility 
Guidelines" devised for making the content of SVG files partially accessible to users who can't view 
them in the ordinary way.

So forbidding all TITLE.../TITLE elements from SVG files is not particularly desirable (and I find 
it annoying, since all my SVG files are annotated with TITLEs).
Comment 1 Ævar Arnfjörð Bjarmason 2005-12-26 04:40:46 UTC
Are you sure that it's the title element that's causing your MediaWiki
installation to reject the file?
Comment 2 AnonMoos 2005-12-26 06:47:10 UTC
I'm not running it, it's  A number of filters were placed on SVG files accepted for upload to filter out unwanted script elements etc., and one of them is blocking 
TITLE elements.
Comment 3 Robert Fleming 2006-01-31 06:22:51 UTC
See Talk:Graphviz ..

On, raw SVG output from Graphviz is rejected.  The only way to
get the file accepted is to eliminate nested "<g>" elements *and* "<title>"
elements (at least those inside "<g>" elements).
Comment 4 Harry Wood 2006-03-08 12:01:51 UTC
Yes it does reject <title> tags. 

There's some more information and reasoning given in the code: SpecialUpload.php
line 792 function detectScript

"Internet Explorer for Windows performs some really stupid file type
autodetection which can cause it to interpret valid image files as HTML and
potentially execute JavaScript, creating a cross-site scripting attack vectors.

Apple's Safari browser also performs some unsafe file type autodetection which
can cause legitimate files to be interpreted as HTML if the web server is not
correctly configured to send the right content-type (or if you're really
uploading plain text and octet streams!)

Returns true if IE is likely to mistake the given file for HTML. Also returns
true if Safari would mistake the given file for HTML when served with a generic

This detectScript function will pick up on
<body','<head','<html','<img','<pre','<script','<table','<title'  and returns
true, resulting in a red error message: "This file contains HTML or script code
that my be erroneously be interpreted by a web browser." (complete with typo)

So w3c standard SVG files are getting rejected. Nice simple triangle example: ...has <title> so it wont
work. Whether the detectScript function should change I dunno, but I commented
it out on my intranet installation.
Comment 5 AnonMoos 2006-03-15 21:51:33 UTC
(In reply to comment #4)

> SpecialUpload.phpline 792 function detectScript: "Returns true if IE is likely to mistake the given 
file for HTML. Also returns true if Safari would mistake the given file for HTML when served with a 
generic content-type" This detectScript function will pick up on 
<body','<head','<html','<img','<pre','<script','<table','<title'.  So w3c standard SVG files are 
getting rejected.

Well BODY, HEAD, HTML, IMG, PRE, and TABLE elements have no place in an SVG file, while SCRIPT is out 
of line with the intended use of SVG files on Wikimedia Commons.  But TITLE is a recommended part of 
every SVG file, and an essential part of W3C standard "Content Accessibility Guidelines", as mentioned 
before (see Appendix H to the SVG 1.1 standard) -- in fact, a well-commented SVG file should often 
contain multiple TITLE elements.

I don't think that the SVG file upload code should be defensively checking against things that might 
speculatively happen if an SVG file is hypothetically delivered with an incorrect MIME type -- rather, 
it should be the job of the file serving code to make sure that SVG files are always delivered with 
the correct MIME type.  (In most cases, SVG files will actually be viewed in rendered raster image 
form, in any case.)  Be as zealous in rejecting scripting code as you want, but don't reject a 
legitimate part of the SVG file format definition which performs a valid function.
Comment 6 Tuukka Hastrup 2006-04-07 02:41:08 UTC
I uploaded an SVG file created with Graphviz to now.
Nested g tags passed but I still needed to remove all the good title tags. 

Please solve this somehow. May I suggest that you accept uploads with title tags
but strip them on download time as long as you consider the security risk important?
Comment 7 Rob Church 2006-04-08 14:29:58 UTC
It might make sense to whitelist the <title> attribute in SVG images (after the
MIME detection stuff).
Comment 8 Ævar Arnfjörð Bjarmason 2006-05-22 07:14:26 UTC
RESOLVED FIXED, enabled $wgAllowTitlesInSVG which allows svg files with a title
element to be uploaded.

Note You need to log in before you can comment on or make changes to this bug.