SVG blobs are getting sanitized unnecessarily
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
While investigating another issue, @fjsanpedro and I realized that the logic we have in place to sanitize SVG blobs before rendering them, is actually not needed.
The sanitization was originally added by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/2667, which took the source from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/637, which links to https://stackoverflow.com/questions/4881364/sanitizing-an-svg-document-by-whitelisting-elements as motivation for the sanitization.
However, this pages speaks of embedding SVG XML right into an HTML document, in which case <script> elements will be executed as JS. This is not the case when loading an SVG image through the src attribute of an <img> tag, as specified in https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image.
We also noticed that the sanitization hasn't actually worked properly since https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3401, when the <script> tag was (accidentally) whitelisted.
I think we can stop sanitizing SVG files, and load the image using its raw URL, rather than a constructed data URI, just like we do for other image blobs.
We may need to update the raw endpoint to make sure it sends the correct content type. We should be sure to keep Content-Disposition set to attachment, so that the SVG file is not rendered by the browser, which would also execute the scripts.