From fc877ab3578a18b7fffa834852c56690a21af36e Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.ch>
Date: Sun, 3 Apr 2022 23:29:34 +0200
Subject: [PATCH] renderer: image/svg is also safe

When used in an image context, SVG cannot execute scripts, be styled
or fetch additional resources. So, they are as safe as other formats.

When used in a `<a>` tag, it could starts executing JS, but only in
its own context, so it shouldn't be dangerous either.

This raises the question on which image format is dangerous.
---
 renderer/html/html.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/renderer/html/html.go b/renderer/html/html.go
index 60451df..12fa7ce 100644
--- a/renderer/html/html.go
+++ b/renderer/html/html.go
@@ -819,6 +819,7 @@ var bPng = []byte("png;")
 var bGif = []byte("gif;")
 var bJpeg = []byte("jpeg;")
 var bWebp = []byte("webp;")
+var bSvg = []byte("svg;")
 var bJs = []byte("javascript:")
 var bVb = []byte("vbscript:")
 var bFile = []byte("file:")
@@ -830,7 +831,8 @@ func IsDangerousURL(url []byte) bool {
 	if bytes.HasPrefix(url, bDataImage) && len(url) >= 11 {
 		v := url[11:]
 		if bytes.HasPrefix(v, bPng) || bytes.HasPrefix(v, bGif) ||
-			bytes.HasPrefix(v, bJpeg) || bytes.HasPrefix(v, bWebp) {
+			bytes.HasPrefix(v, bJpeg) || bytes.HasPrefix(v, bWebp) ||
+			bytes.HasPrefix(v, bSvg) {
 			return false
 		}
 		return true