But it’s just an image link to some SVG file. No HTML involved, only a Markdown image link that GitHub will render as an HTML <img src="…"/> element. The actual SVG file linked to isn’t even necessarily hosted by GitHub.
If the SVG being linked to is hosted by GitHub, they could make arbitrary changes before serving it to the browser.
IIRC, I uploaded an SVG in a GitHub comment and the resulting image had some of its interactive functionality removed. Of course, that situation is slightly different since the file was uploaded in a comment and not as part of a Git repo... but still.
Github could (should) be doing some sanitation of the HTML included in the readme, so they absolutely could be removing some nasty things SVGs support
But it’s just an image link to some SVG file. No HTML involved, only a Markdown image link that GitHub will render as an HTML <img src="…"/> element. The actual SVG file linked to isn’t even necessarily hosted by GitHub.
If the SVG being linked to is hosted by GitHub, they could make arbitrary changes before serving it to the browser. IIRC, I uploaded an SVG in a GitHub comment and the resulting image had some of its interactive functionality removed. Of course, that situation is slightly different since the file was uploaded in a comment and not as part of a Git repo... but still.
They could follow the img src and deny any which are harmful. Or even replace them with a sanitized copy.
3 replies →