Embedded images using data URIs no longer work without unsafe flag

[stefanvdlugt]

Since update 2.7.0, embedded images are ignored when converting SVG files without the unsafe flag.

The images are embedded as base64:

<image id="image" width="123" height="456" xlink:href="data:img/png;base64,BASE64STRING"></image>

As the description of the unsafe option states that it allows loading external files, we'd expect data URIs to still work. Is there an option to forbid loading external resources but allow including images using data URIs?

[joaniehollberg]

We also are experiencing this issue. We are seeing images in our production environment rendering without backgrounds because of it. @liZe perhaps related to your recent changes?

[joaniehollberg]

@stefanvdlugt how were you able to get the unsafe flag to work? I got it to work via command line, but passing unsafe=True as an option into svg2png doesn't seem to work.

[stefanvdlugt]

@joaniehollberg We haven't had the time to get this working yet. We are using the command line version, but we do not want to use the unsafe flag, since we only want to allow embedded resources.

The release notes of the latest version state that it is also possible to change the url_fetcher parameter in the Python module. Maybe it would be possible to let this url_fetcher only fetch embedded resources and not external ones?

[liZe]

We also are experiencing this issue. We are seeing images in our production environment rendering without backgrounds because of it. @liZe perhaps related to your recent changes?

Yes, accessing external resources has been disabled by default because it could lead to various security problems.

@stefanvdlugt how were you able to get the unsafe flag to work? I got it to work via command line, but passing unsafe=True as an option into svg2png doesn't seem to work.

It should work. Internally, the CLI option only sets the unsafe tag of the convert function.

We are using the command line version, but we do not want to use the unsafe flag, since we only want to allow embedded resources.

The unsafe can be set if you trust the SVG content. If you don’t, then we assumed that reaching external resources in the SVG is as dangerous as other security treats that the unsafe prevents.

Maybe it would be possible to let this url_fetcher only fetch embedded resources and not external ones?

If, for some reason, you don’t trust the SVG content but still want to reach external resources, then the url_fetcher option is the way to go.

Is there an option to forbid loading external resources but allow including images using data URIs?

We should allow data URLs, even without the unsafe option. Let’s close this issue when this feature is re-enabled.

[mlazar-endear]

We also ran into this issue using a data: URI for an embedded image. Confirming that using unsafe=True fixed it for us via the python library bindings, i.e.

cairosvg.svg2png(content, unsafe=True)

[liZe]

This should be fixed now, tests are welcome!