Comment by c-hendricks
6 days ago
Github could (should) be doing some sanitation of the HTML included in the readme, so they absolutely could be removing some nasty things SVGs support
6 days ago
Github could (should) be doing some sanitation of the HTML included in the readme, so they absolutely could be removing some nasty things SVGs support
But it’s just an image link to some SVG file. No HTML involved, only a Markdown image link that GitHub will render as an HTML <img src="…"/> element. The actual SVG file linked to isn’t even necessarily hosted by GitHub.
If the SVG being linked to is hosted by GitHub, they could make arbitrary changes before serving it to the browser. IIRC, I uploaded an SVG in a GitHub comment and the resulting image had some of its interactive functionality removed. Of course, that situation is slightly different since the file was uploaded in a comment and not as part of a Git repo... but still.
They could follow the img src and deny any which are harmful. Or even replace them with a sanitized copy.
This is nonsense. The actual file at the URL could change at any time. No system is doing something like that if it isn’t serving the file itself.
And, getting back to the original point, you wouldn’t be worrying that GitHub doesn’t “support” a URL that happens to point to a file of a particular subformat that the URL itself doesn’t disclose.
2 replies →