Uploading SVG with viewbox attribute fails

Hi helpful folks,
I’m enjoying Kirby 3.9.2 with a local PHP 8.1.12 on OSX but got into trouble uploading an .svg though the panel. The error message is:

The “viewbox” attribute (line 8) is not allowed: Not included in the global allowlist
Bildschirmfoto 2023-05-05 um 20.36.09

After removing the attribute the upload is fine, but the svg is not displayed :confused:
Therefore I added it again to the file, after upload.

My question:

  1. Is there a security risk having ‘viewbox’ in my svg-file? Just curious after checking the discussion here

  2. How can I edit the ‘global allowlist’ as stated in the error message? Should I?

Here are the first 8 lines of the file. The svg was created with a probably old version of CorelDraw…

 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"
            version="1.1" style="
      shape-rendering: geometricPrecision;
      text-rendering: geometricPrecision;
      image-rendering: optimizeQuality;
      fill-rule: evenodd;
      clip-rule: evenodd;
    "  **viewbox="0 0 1080 800"** >


Hm, viewBox is in the list of allowed attributes, however, with camelCase not like in your example without.

So you would have to add it to the Kirby\Sane\Svg::$allowedAttributes array like described in the thread you linked above. Or change the spelling of your svg attribute.

1 Like

Changing the attribute from viewbox to viewBox had the great side effect, that the dimensions and file preview works now. I guess this is somewhere else to fix?

They remain 0x0 for the svg with lowercase “viewbox”.

Also, I added viewbox to the allowedAttributes and upload works fine. :partying_face:

Thank you for the quick reply!

The attribute is actually called viewBox, not viewbox, no idea why your svgs have it is as all lower case attribute: viewBox - SVG: Scalable Vector Graphics | MDN