Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
-
All
-
Small
Description
During tests of https://jira.talendforge.org/browse/TCOMP-2100, It appear that the generated XML is not valid.
I attached one xml generated file (you can test on[ https://www.xmlvalidation.com/|https://www.xmlvalidation.com/])
ANALYSIS
With jmfrancois we found that all SVG icon shall be cleaned from XML non SVG elements.
Icons shall not contain
"<?xml version="1.0" encoding="UTF-8" standalone="no"?> "
As you can see, icons are not cleaned by the framework:
This is a safety issue because customers could do svg containing injection that the framework do not remove.
- Normally any icon provided by the design team is cleaned using SVGO https://svgo.dev/
- It is usable online with https://jakearchibald.github.io/svgomg/
But because the framework can load customer icons, it should clean the icon or not accept it if it is not valid by SVGO style tool.
I created my test icons (joined to the ticket) with a inkakape: http://www.inkscape.org/namespaces/inkscape which is why I generated the issue.
For more information about SVG and tools like SVGO, contact
Final decision
As it would be costly on each execution or not so easy to clean during build it been decided to add the content test to actual SVG validator.
We already have some SVG check, we can add this SVGO check to it.
Do not hesitate to contact jmfrancois or UX team for more info on this subject.
This task will require a new documentation section to explain how to manually clean SVG icons.