-
- Downloads
[ADD] *: support SVG images
Introduce official support for SVG files in the framework, including the following parts: 1. When client-side SVG images are uploaded, the content is displayed until you save using data URI scheme according RFC 2397 [1]. This scheme requires to specify content format. Using hardcoded "image/png" works for all images types except SVG. Type-sniffing is done using "magic byte" detection via the first base64 encode byte, so that the proper data URI scheme can be used. This should not cause SVG-related security problems as the file is displayed through `<img>` tag, which does not allow SVG scripting [2]. 2. Make /web/image controller compatible with SVG 3. Add support for SVG files for company logo, which uses a dedicated controller. 4. Resizing of SVG files is a no-op, as it makes little sense for a vector-based format. We also want to avoid micro-alterations to the SVG document (in "natural" viewport parameters) as we would store multiple copies of the files in the filestore. 5. Because SVG files are inherently dangerous, upload of SVG files is restricted to administrators, either by blocking it directly before saving it in the database (binary fields with attachment=False), or by neutering them to text/plain mimetype (for binary fields with attachment=True) 6. Add tests for the SVG upload cases and for the non-admin uploads. [1] https://tools.ietf.org/html/rfc2397 [2] https://www.w3.org/wiki/SVG_Security Closes #26635
Showing
- addons/web/controllers/main.py 6 additions, 2 deletionsaddons/web/controllers/main.py
- addons/web/static/src/js/fields/basic_fields.js 8 additions, 1 deletionaddons/web/static/src/js/fields/basic_fields.js
- addons/web/static/src/js/views/kanban/kanban_record.js 8 additions, 1 deletionaddons/web/static/src/js/views/kanban/kanban_record.js
- addons/web_editor/static/src/js/widgets/widgets.js 1 addition, 0 deletionsaddons/web_editor/static/src/js/widgets/widgets.js
- addons/website_slides/static/src/js/slides_upload.js 1 addition, 0 deletionsaddons/website_slides/static/src/js/slides_upload.js
- odoo/addons/base/models/ir_attachment.py 2 additions, 1 deletionodoo/addons/base/models/ir_attachment.py
- odoo/addons/base/models/res_users.py 1 addition, 1 deletionodoo/addons/base/models/res_users.py
- odoo/addons/base/tests/test_mimetypes.py 14 additions, 0 deletionsodoo/addons/base/tests/test_mimetypes.py
- odoo/addons/test_new_api/ir.model.access.csv 1 addition, 0 deletionsodoo/addons/test_new_api/ir.model.access.csv
- odoo/addons/test_new_api/models.py 9 additions, 0 deletionsodoo/addons/test_new_api/models.py
- odoo/addons/test_new_api/tests/test_new_fields.py 56 additions, 0 deletionsodoo/addons/test_new_api/tests/test_new_fields.py
- odoo/fields.py 13 additions, 1 deletionodoo/fields.py
- odoo/tools/image.py 4 additions, 1 deletionodoo/tools/image.py
- odoo/tools/mimetypes.py 10 additions, 0 deletionsodoo/tools/mimetypes.py
Loading
Please register or sign in to comment