You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Edgar Bonet 5b126d7497 Document new behavior of GitHub 2 months ago
README.md Document new behavior of GitHub 2 months ago
image-nojs.svg Add a second image with no JavaScript 3 years ago
image.svg Use an image with embedded JavaScript 3 years ago


Below are two SVG images. The first one contains the text “JavaScript is OFF”, together with a script that changes “OFF” to “ON”. The second one has no JavaScript:

(this is the alt text of the first image) (this is the alt text of the second image)

On GitHub, both images are displayed, served as image/svg+xml from a different domain (raw.githubusercontent.com) with the header “Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox”. Neither Firefox nor Chromium execute the script, even if the image is opened alone, in a new tab. Chromium's console warns that it “Blocked script execution [...] because the document's frame is sandboxed and the 'allow-scripts' permission is not set.”

On Gogs and Gitea, the alt texts are displayed instead of the images. On Gogs, both alt texts are clickable. On Gitea only the first one is clickable. Unlike Firefox, Chromium also displays broken-image icons alongside the alt texts.

When clicking on the alt texts, Gogs and Gitea display the raw source of the images (the images served as text/plain). When clicking on the images, GitHub instead displays a “blob” page in “rendered” view. This page contains an iframe served from render.githubusercontent.com, with the image included, as before, from raw.githubusercontent.com. That blob page has buttons for switching between the rendered and source blob views, and a link to the raw file from raw.githubusercontent.com.


The issue has been reported: