opening a billion laughs exploit just made Firefox crash my system. Possible rationale for GitHub not serving SVG images Petah mentioned that blobs are fine because the SVG is inside an iframe. The billion laugh SVG does make Firefox 44 Freeze, but Chromium 48 is OK: Update 2014-12: GitHub now renders SVG on blob show, so I don't see any reason why not to render on README renderings:Īlso note that that SVG does have an XSS attempt but it does not run: The regular pages also have a content-security-policy, but it is much larger.Ī GitHub dev is currently looking into this: This prevents the script from running even in raw which contains the raw SVG file: Use Content-Security-Policy: default-src 'none' style-src 'unsafe-inline' sandbox. Show SVG inside view the sanitized SVG or to achieve this effect from other places (i.e. The SVG image will be sanitized and displayed with the correct HTTP header. Github has implemented a feature which makes it possible for SVG's to be used with the Markdown image syntax. Some comments regarding changes that happened along the way: Linking to RAW files using ?sanitize=true I copied the SVG image from the question to a repo on github in order to create the examples below Linking to files using relative paths (Works, but obviously only on / github.io)Ĭode !(./controllers_brief.svg) Now (at least for SVG), the correct Content-Type headers are sent. Since then Github has implemented various improvements. When this question was asked (in 2012) SVGs didn't work. The purpose of is to allow users to view the contents of a file, so for text based files this means (for certain content types) you can get the wrong headers and things break in the browser.
#Markdown github code#
I have tried the following, with an actual image as well to verify the syntax is working, just that the SVG code isn't being rendered: ! The SVG I am trying to include is here on GitHub: When I open the SVG file locally, it does work, so how do I get the browser to render the SVG in the MD file? Given that the code will be dynamic until it is finalized (seemingly never), hosting the SVG in a separate place seems overkill and that I am missing an approach to accomplish this. I would like for that SVG to then be placed in the ReadMe.md, and be displayed. Ultimately using rails3, and changing the model frequently right now, so I am using RailRoady to generate an SVG of the schema diagram of the models. I know that an image can be placed in an MD with the MD syntax of either !(/path/to/img.jpg) or !(/path/to/img.jpg "Optional title"), but I am having difficulty placing an SVG in MD where the code is hosted on GitHub.
0 kommentar(er)
