Manual:$wgAllowTitlesInSVG/de-formal
 | This feature was removed completely in version 1.35.0. |
| SVG: $wgAllowTitlesInSVG | |
|---|---|
Allow <title> tag in SVG files. |
|
| Eingeführt in Version: | 1.7.0 (r14084) |
| Veraltet in Version: | 1.34.0 (Gerrit change 487527; git #2e833876) |
| Entfernt in Version: | 1.35.0 (Gerrit change 574920; git #I7c54d28) |
| Erlaubte Werte: | (boolean) |
| Standardwert: | true (1.34)false (1.7-1.33) |
| Andere Einstellungen: Alphabetisch | Nach Funktion | |
Details
If true, the text <title> will be allowed in files with a "svg" file extension or "image/svg+xml" MIME type.
MediaWiki will reject HTML-esque tags (including <title>) in uploaded files, as some browsers can't perform basic stuff like MIME detection and are therefore vulnerable to displaying valid image files as HTML and doing insecure things.
You should leave this set to false if your web server is misconfigured and doesn't send appropriate MIME types for SVG images.
What are appropriate MIME types for SVG images? Well, that is currently under debate at the W3C[1], but you should see Content-Type: image/svg+xml in response headers when making a GET request for an svg file.
You can easily check your server using the W3C's online SVG check tool.
Or, from the command-line with curl:
curl -I https://mywiki.example.org/w/img_auth.php/0/09/MediaWiki_Architecture.svg
HTTP/1.1 200 OK Date: Sun, 11 Feb 2018 05:01:23 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.33 X-Powered-By: PHP/5.6.33 X-Content-Type-Options: nosniff Last-Modified: Sat, 01 Jul 2017 15:50:20 GMT Content-Length: 69832 Content-Type: image/svg+xml
References
- MediaWiki configuration settings/de-formal
- MediaWiki configuration settings introduced in version 1.7.0/de-formal
- MediaWiki configuration settings deprecated in version 1.34.0/de-formal
- MediaWiki configuration settings removed in version 1.35.0/de-formal
- MediaWiki deprecated or obsolete features/de-formal
- SVG variables/de-formal