FIX: add support for style element in SVGs

FIX: add support for style element in SVGs

diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index a1386fe..0aa4af8 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -9,7 +9,7 @@ class UploadCreator
 
   WHITELISTED_SVG_ELEMENTS ||= %w{
     circle clippath defs ellipse g line linearGradient path polygon polyline
-    radialGradient rect stop svg text textpath tref tspan use
+    radialGradient rect stop style svg text textpath tref tspan use
   }.each(&:freeze)
 
   # Available options
diff --git a/spec/fixtures/images/image.svg b/spec/fixtures/images/image.svg
index b95c0f4..f997dcf 100644
--- a/spec/fixtures/images/image.svg
+++ b/spec/fixtures/images/image.svg
@@ -1,3 +1,6 @@
 <svg width="100" height="50">
-  <text x="25" y="25">Discourse</text>
+  <style>
+    .black { fill: #FFFFFF; }
+  </style>
+  <text class="black" x="25" y="25">Discourse</text>
 </svg>
diff --git a/spec/models/upload_spec.rb b/spec/models/upload_spec.rb
index 1fe964d..95ed94f 100644
--- a/spec/models/upload_spec.rb
+++ b/spec/models/upload_spec.rb
@@ -45,6 +45,16 @@ describe Upload do
     end
   end
 
+  it "supports <style> element in SVG" do
+    SiteSetting.authorized_extensions = "svg"
+
+    upload = UploadCreator.new(image_svg, image_svg_filename).create_for(user_id)
+    expect(upload.valid?).to eq(true)
+
+    path = Discourse.store.path_for(upload)
+    expect(File.read(path)).to match(/<style>/)
+  end
+
   it "can reconstruct dimensions on demand" do
     upload = UploadCreator.new(huge_image, "image.png").create_for(user_id)

GitHub sha: c2561218

This commit has been mentioned on Discourse Meta. There might be relevant details there:

hmmm does this mean we are allowing animated svgs now? is there a griefing vector where people can “style” an SVG out of its boundaries ? (I think not)

We were already allowing styling via inline styles so that doesn’t change much other than remove the support requests we were getting because the style tag was stripped and made SVGs all black.

1 Like