Create Task
Maniphest T1094

Allow <img> tag with community.kde.org (for urls of certain domains)
Closed, InvalidPublic
Actions

Description

For wiki pages talking about icons* it would be great if SVG images could be embedded from external sites (if possible restriction to KDE domains might make sense). Think about pages like
https://community.kde.org/Calligra/Icons/3.0
https://community.kde.org/KDE_Visual_Design_Group/LibreOffice_Breeze

Embedding PNG images from external sites works nicely, by just noting the plain url. So the same/similar would be good to have for SVG images as well, especially with all Breeze icons being in SVG.

estan hinted "Regarding your PS: Seems a patch for MediaWiki to allow this is under review, but still not merged :/ https://gerrit.wikimedia.org/r/#/c/184337/ . It will be opt-in because of security implications (e.g. JS in SVGs), so KDE sysadmins will have activate it with $wgAllowExternalSVG.

Until then, what they could do is allow the img tag with $wgAllowImageTag , which I think would allow external SVGs (with a little lengthier syntax )." in https://frinring.wordpress.com/2015/11/21/your-input-please-naming-of-action-icons-tables-vectorpaths-animation-text/#comment-4779

Would it be possible to enable $wgAllowImageTag, or do you see a bigger security risk because of which we better don't do that?

kossebau created this task.Nov 21 2015, 3:57 PM
kossebau updated the task description. (Show Details)
kossebau raised the priority of this task from to Needs Triage.
kossebau added a project: Sysadmin.
kossebau moved this task to External: Active on the Sysadmin board.
kossebau added a subscriber: kossebau.
bcooksley added a subscriber: bcooksley.Jun 28 2016, 8:59 AM

Is this still needed?

Restricted Application added a subscriber: sysadmin. · View Herald TranscriptJun 28 2016, 8:59 AM
nalvarez added a subscriber: nalvarez.Jul 4 2016, 7:53 PM

Those wiki pages are linking to quickgit. Hotlinking to quickgit can cause a high load on the server. It's a repository browser, not a static file server.

In fact, if it is indeed possible to make the wiki filter what images can be embedded based on the domain, I would block quickgit for all image types.

You should either upload the icons to the wiki, or we can arrange some web server for them.

bcooksley added a comment.Jul 5 2016, 10:36 AM

I believe this issue was concerning SVG image linking in general, rather than linking to PNGs. I've already sorted out the hotlinking on the Calligra page earlier, and the Libreoffice page doesn't appear to be hotlinking as far as I can tell (regular <a> links without a <img> are perfectly fine)

bcooksley closed this task as Invalid.Jul 20 2016, 7:46 AM

Closing, no response.