[MDL-55243] SVG files are images and should be allowed for course images, drag-drop questions, etc. - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.0.5, 3.1, 3.11
Fix Version/s: 3.10.5, 3.11.1
Component/s: Course, Files API
Labels:

Affected Branches:
MOODLE_30_STABLE, MOODLE_311_STABLE, MOODLE_31_STABLE
Fixed Branches:
MOODLE_310_STABLE, MOODLE_311_STABLE
Pull from Repository:
git://github.com/HuongNV13/moodle.git
Pull 3.11 Branch:
~~MDL-55243~~-311
Pull 3.11 Diff URL:
https://github.com/HuongNV13/moodle/compare/0e64d1d00d...MDL-55243-311
Pull Main Branch:
~~MDL-55243~~-master
Pull Main Diff URL:
https://github.com/HuongNV13/moodle/compare/338b60f43b...MDL-55243-master
Testing Instructions:
Hide

Initial setup

Create a course.

Go to Site administration > Appearance > Courses

On courseoverviewfilesext setting, click Choose

Select Image (SVG+XML) .svg and Save changes.

Functional testing

Edit created Course.

Drag/Upload test_svg_no_xss.svg to Course image.

Click on Save and display button.

Go to the courses page (Site home).

Verify that you will see the image under the course name.

Verify that you will not see a link to the SVG file.

XSS testing (Case 1)

Go to the courses page (Site home).

Right-click on the SVG image and click "Open image in New Tab".

Verify that the browser will not display the image directly.

Verify that the browser will download the file to your computer.

XSS testing (Case 2)

Edit created Course.

Drag/Upload test_svg_with_xss.svg to Course image.

Click on Save and display button.

Go to the courses page (Site home).

Verify that you will not see a popup that says "Test XSS".

Right-click on the SVG image and click "Open image in New Tab".

Verify that the browser will not display the image directly.

Verify that the browser will download the file to your computer.

Verify that you will not see a popup that says "Test XSS".
Show
Initial setup Create a course. Go to Site administration > Appearance > Courses On courseoverviewfilesext setting, click Choose Select Image (SVG+XML) .svg and Save changes . Functional testing Edit created Course. Drag/Upload test_svg_no_xss.svg to Course image. Click on Save and display button. Go to the courses page (Site home). Verify that you will see the image under the course name. Verify that you will not see a link to the SVG file. XSS testing (Case 1) Go to the courses page (Site home). Right-click on the SVG image and click "Open image in New Tab". Verify that the browser will not display the image directly. Verify that the browser will download the file to your computer. XSS testing (Case 2) Edit created Course. Drag/Upload test_svg_with_xss.svg to Course image. Click on Save and display button. Go to the courses page (Site home). Verify that you will not see a popup that says "Test XSS". Right-click on the SVG image and click "Open image in New Tab". Verify that the browser will not display the image directly. Verify that the browser will download the file to your computer. Verify that you will not see a popup that says "Test XSS".

Story Points:
1
Sprint:
Internationals - 4.0 Sprint 1, HQ Team International Sprint 2, HQ Team International Sprint 3

Description

The is_valid_image returns false for svg files.

This means that when looking at the courses page we do not see an image for the course but simply a link to the svg file.

NOTE: It is likely that svg files were excluded at the time the code was written because IE didn't support them. All modern browsers support svg files now.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDl-55243_Test Passed.png
186 kB
24/Jun/21 12:28 PM
MDL-55243 error.png
37 kB
18/Jun/21 8:06 AM
MDL-55243 func ok.png
9 kB
23/Jun/21 10:21 AM
svg image in courses page.png
109 kB
16/Jul/16 3:08 AM
test_svg_no_xss.svg
4 kB
01/Jun/21 2:45 PM
test_svg_no_xss-1.svg
4 kB
13/Oct/21 2:48 PM
test_svg_with_xss.svg
4 kB
01/Jun/21 2:45 PM

Issue Links

caused a regression

MDL-72242 Missing SVG files in forum posts

Closed

MDL-72317 Auto-resize in filepicker shows NaN for SVG images

Closed

MDL-72443 SVG files do not support the preview mode

Closed

has a non-specific relationship to

MDL-61963 Remove file format restrictions for Logos

Open

MDL-72018 Add support to SVG files to badges

Open

has been marked as being related by

MDL-61215 Badge and user profile picture using an svg file doesn't display

Closed

is blocked by

MDL-71737 portfolio_flickr should use its own method to check the supported files

Closed

is duplicated by

MDL-71430 Drag-drop markers question form validation cannot handle SVG background images

Closed

(1 has been marked as being related by, 1 is blocked by, 1 is duplicated by)

Activity

People

Assignee:: Huong Nguyen

Reporter:: guy thomas

Peer reviewer:: Simey Lameze

Integrator:: Andrew Lyons

Tester:: Gladys Basiana

Participants:: Andrew Lyons, CiBoT, David Mudrák (@mudrd8mz), Eloy Lafuente (stronk7), fishfree, Gladys Basiana, guy thomas, Helen Foster, Huong Nguyen, Marina Glancy, Matteo Scaramuccia, Simey Lameze, Tim Hunt

Votes:: 7 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 16/Jul/16 3:08 AM

Updated:: 20/Oct/21 11:19 AM

Resolved:: 25/Jun/21 5:39 AM

Fix Release Date:: 12/Jul/21

Time Tracking

Estimated:

Remaining:

Logged:

4d 5h 41m

Details

Initial setup

Functional testing

XSS testing (Case 1)

XSS testing (Case 2)

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking