Comments (6)
liZe
commented on June 10, 2024
1
We also are experiencing this issue. We are seeing images in our production environment rendering without backgrounds because of it. @liZe perhaps related to your recent changes?
Yes, accessing external resources has been disabled by default because it could lead to various security problems.
@stefanvdlugt how were you able to get the unsafe flag to work? I got it to work via command line, but passing
unsafe=Trueas an option intosvg2pngdoesn't seem to work.
It should work. Internally, the CLI option only sets the unsafe tag of the convert function.
We are using the command line version, but we do not want to use the unsafe flag, since we only want to allow embedded resources.
The unsafe can be set if you trust the SVG content. If you don’t, then we assumed that reaching external resources in the SVG is as dangerous as other security treats that the unsafe prevents.
Maybe it would be possible to let this
url_fetcheronly fetch embedded resources and not external ones?
If, for some reason, you don’t trust the SVG content but still want to reach external resources, then the url_fetcher option is the way to go.
Is there an option to forbid loading external resources but allow including images using data URIs?
We should allow data URLs, even without the unsafe option. Let’s close this issue when this feature is re-enabled.
from cairosvg.
joaniehollberg
commented on June 10, 2024
We also are experiencing this issue. We are seeing images in our production environment rendering without backgrounds because of it. @liZe perhaps related to your recent changes?
from cairosvg.
joaniehollberg
commented on June 10, 2024
@stefanvdlugt how were you able to get the unsafe flag to work? I got it to work via command line, but passing unsafe=True as an option into svg2png doesn't seem to work.
from cairosvg.
stefanvdlugt
commented on June 10, 2024
@joaniehollberg We haven't had the time to get this working yet. We are using the command line version, but we do not want to use the unsafe flag, since we only want to allow embedded resources.
The release notes of the latest version state that it is also possible to change the url_fetcher parameter in the Python module. Maybe it would be possible to let this url_fetcher only fetch embedded resources and not external ones?
from cairosvg.
mlazar-endear
commented on June 10, 2024
We also ran into this issue using a data: URI for an embedded image. Confirming that using unsafe=True fixed it for us via the python library bindings, i.e.
cairosvg.svg2png(content, unsafe=True)from cairosvg.
liZe
commented on June 10, 2024
This should be fixed now, tests are welcome!
from cairosvg.
Related Issues (20)
- import issue HOT 5
- Certain svgs cause cairosvg to hang (perhaps stuck in an infinite loop) HOT 5
- Cairosvg not working when deployed to AWS Lambda python 3.8 HOT 5
- CairoSVG not working on Mac M2 HOT 8
- Problem with feGaussianBlur filter HOT 1
- Svg with data URI embedded image losing image after conversion HOT 5
- OSError: no library called "cairo-2" was found on Windows HOT 2
- Embedded Images broken on Mac? HOT 2
- embedded fonts are not working HOT 1
- Wrong svg to png conversion after latest update HOT 1
- no library called cairo-2, Cairo, libcairo-2, HOT 4
- Exception has occurred: ValueError could not convert string to float: '39px' HOT 1
- svg2pdf export turns transparent background in black HOT 3
- QR code with gradient color is broken when converted to png HOT 2
- SVGs render to an empty PNG HOT 12
- svg with improperly positioned tiled images HOT 2
- Mention `output_width` and `output_height` function arguments in documentation HOT 1
- Failed to load CairoSVG in serverless program HOT 8
- closing the path for ellipse (and circle)? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cairosvg.