SVG avatars are b0rken
-
I just tried to upload a little SVG file as an avatar. Discourse reported that I had successfully changed it but the result was empty. Turns out the SVG is somehow recognized but completely mangled – it got cut off in the middle of an attribute only 300 bytes or so after the start, an </svg> tag slapped on and the whole thing delivered as an application/octet-stream (IIRC) with a .png extension.
Many, many levels of wrong.
-
Yeah it fucks up webp too.
-
Run on over to meta.d and post the bug.
...
HAHAHAHAHAHAHAHA
-
-
Don't re-open my wounds!
-
-
-
-
-
Oi! Give me back my avatar!
-
Oh its just a disco fuck up. I thought you're were doing the missing image from chrome thing.
-
Netscape, though
-
-
@tufty's is a genuine image, so you were right. @LaoC's is discofuckup. In my browser they are clearly different:
-
Ah just noticed that now. My brain is failing today. Thank you.
-
@tufty's is a genuine image,
It is indeed. Back in the days before the pissforce team moved into full bikeshed mode, and occasionally fixed a bug or two, pissforce fucked up an upload of a (IIRC) png avatar - the result amused me so much I deliberately uploaded a broken image link image for posteriorority in case the bug itself got fixed.Of course, I'm now wondering about "broken svg attacks"
-
Of course, I'm now wondering about "broken svg attacks"
Didn't we already have that? I think someone managed to make Discourse shit itself by uploading a massive SVG. Not sure if we ever found out who it was.
-
<svg>'); DROP TABLE users; --