mirror
/
wagtail
kopia lustrzana https://github.com/wagtail/wagtail
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Add more detail to SVG security notes, update settings reference

pull/10295/head
Joshua Munn 2023-02-10 14:53:21 +00:00 zatwierdzone przez Matt Westcott
rodzic ef12245351
commit 657afde30a
2 zmienionych plików z 14 dodań i 1 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

8
docs/reference/settings.md
Wyświetl plik

@ -367,6 +367,14 @@ If this isn't supplied, all of GIF, JPG, JPEG, PNG, WEBP are allowed.
Warning: this doesn't always ensure that the uploaded file is valid as files can
be renamed to have an extension no matter what data they contain.
### `WAGTAILIMAGES_ALLOW_SVG`
```python
WAGTAILIMAGES_ALLOW_SVG = True
```
If `True`, this setting allows editors to upload and use SVG images alongside the default image formats (`False` by default).
## Documents
### `WAGTAILDOCS_DOCUMENT_MODEL`

7
docs/topics/images.md
Wyświetl plik

@ -445,4 +445,9 @@ Wagtail's underlying image library, Willow, is configured to mitigate known XML
When including SVG images in templates via the `image` tag, they will be rendered as html `img` elements. In this case, `script` elements in SVGs will not be executed, mitigating XSS attacks.
If a user navigates directly to the URL of the SVG file embedded scripts may be executed, depending on server/storage configuration. This can be mitigated by setting appropriate Content-Security-Policy and Content-Disposition headers, and serving media from a different domain to the Wagtail site.
If a user navigates directly to the URL of the SVG file embedded scripts may be executed, depending on server/storage configuration. This can be mitigated by setting appropriate Content-Security-Policy or Content-Disposition headers for SVG responses:
- setting `Content-Security-Policy: default-src 'none'` will prevent scripts from being loaded or executed (as well as other resources - a more relaxed policy of `script-src 'none'` may also be suitable); and
- setting `Content-Disposition: attachment` will cause the file to be downloaded rather than being immediately rendered in the browser, meaning scripts will not be executed (note: this will not prevent scripts from running if a user downloads and subsequently opens the SVG file in their browser).
The steps required to set headers for specific responses will vary, depending on how your Wagtail application is deployed.