Ask Lemmy
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, toxicity and dog-whistling are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
view the rest of the comments
YSK: SVG files are a security risk. Be careful where you get them from and how you handle them.
Basically, an SVG can contain JavaScript. If you open an SVG in an application that can interpret the JS (e.g. a web browser) then the script will execute (just as with a malicious PDF), at which point it could download other files (malware) or perform any other function that the application has access to (creating, editing or deleting files on the hard drive) because you gave it permission to do that by opening the SVG. Effectively opening an SVG in a JS-capable application is the same as allowing a stranger to run arbitrary code on your computer. You might as well go around the Internet wearing a "please hack me" sign.
Downloading an SVG to your hard drive directly should be relatively safe, and opening it in a graphics program that does not execute JavaScript should have no risk, but viewing random SVGs in a web browser is a real hazard.
If your browser allows JS access or create random files, or do other arbitrary stuff, that's an extremely shit browser.
It also doesn't exist because no one worked for months or years on a browser to literally make it less secure
Eh, we had ActiveX objects and Flash at one time... ActiveX is apparently still supported by Edge in the ‘IE mode’.
This is a bit like claiming cobol is still relevant because technically it's still being used in production by some companies...
Is the statement “no one worked for months or years on a browser to literally make it less secure” true?
Also, some Lemmy users might use various newfangled alternative or experimental browsers.
How is the JavaScript in a svg different than the JavaScript in every web page on the Internet that makes it a security risk?
Literally identical. Pretty puzzled what op is smoking. Unless they disable JavaScript entirely, and in that case ain't nobody got time for dat.
Oh, it's not, the difference is that the SVG is an unexpected delivery vector.
The script on a website might change over time, might be blocked by an extension like uBlock origin that prevents sections of web code from loading in the first place. You can block a website's JS with an extension that specifically does that, like jshelter. A malicious SVG is static, the malicious code is malicious forever and is embedded in the file. A browser extension can't selectively block pieces of the file from loading.
Script blocking extensions prevent web page code from loading, but they don't prevent the application from executing JS. If you open an SVG, the file is downloaded locally (it's not web code) and the JS in the file will execute locally, with the same permissions and file system access as the user opening the file.
Isn't opening it in a web browser same as opening random website?
Yes, and the security risks associated with JavaScript are not typically seen as significant since your filesystem is not accessible and most any other vulnerable data isn't either for that matter
heh, heh... ha ha ha...
go on mate, pull the other one!
Rowhammer is unfixable, by the way, until someone invents a replacement for DRAM.
There's some weird exception to pretty much any statement. Funny enough though
Do you disable JavaScript across the board? Otherwise you're not making much sense here.
Yes, actually I use jshelter to block script and selectively allow it per website.
I like to use this to strip out unnecessary layers and optimise: https://svgomg.net/
SVGs are everywhere nowadays, from website logos, to UI elements to even the favicon.
Yup.
There's always value in understanding risk, and in limiting it.