From 9550d2c92c296e32c40e36c87d7b34492c7749c3 Mon Sep 17 00:00:00 2001
From: smcv <smcv@web>
Date: Fri, 4 Jul 2014 05:35:57 -0400
Subject: [PATCH] yes please

---
 doc/todo/upload__95__figure.mdwn | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/todo/upload__95__figure.mdwn b/doc/todo/upload__95__figure.mdwn
index 52034c21b..d8dd65921 100644
--- a/doc/todo/upload__95__figure.mdwn
+++ b/doc/todo/upload__95__figure.mdwn
@@ -8,3 +8,13 @@ Unfortunately, Github shows [[raw code|https://github.com/paternal/ikiwiki/blob/
 
 --[[Louis|spalax]]
 
+> Unfortunately SVG can contain embedded JavaScript, so anyone who can
+> upload arbitrary SVG to this wiki can execute JavaScript in its security
+> context, leading to stealing login cookies and other badness. GitHub
+> won't display arbitrary user-supplied SVG for the same reasons.
+>
+> I've seen various attempts to sanitize SVG via a whitelist, but it's
+> just too large a specification to be confident that you're right, IMO.
+>
+> This particular SVG [[looks good to me|users/smcv/ready]] and I've
+> mirrored it in my own git repo. --[[smcv]]
-- 
2.45.0