Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Usage of SVG files for logo

  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
More
2 years 5 months ago #222477 by tammo
Usage of SVG files for logo was created by tammo
Does anyone know how to use a svg-logo like this attachment as the company logo in a theme?
I would like to be able to upload svg-files via the theme settings and use them in the theme.

Using LimeSurvey 5.2.3
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
2 years 5 months ago #222480 by DenisChenu
Replied by DenisChenu on topic Usage of SVG files for logo
Upload of SVG file is a security issue , svg can allow XSS, javascript etc …

Then : by default : it was disable by config file.

github.com/LimeSurvey/LimeSurvey/blob/92...fig-defaults.php#L89
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
More
2 years 5 months ago #222486 by tammo
Replied by tammo on topic Usage of SVG files for logo
Uploading SVG via the front end is much more dangerous than uploading via the backend, where you can (hopefully) trust the users.

So uploading an SVG logo for in the theme might be possible, while uploading SVG via a file upload question might be made impossible.

Would that be possible?
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
2 years 5 months ago #222487 by DenisChenu
Replied by DenisChenu on topic Usage of SVG files for logo
Public upload is diabled too : github.com/LimeSurvey/LimeSurvey/blob/92...fig-defaults.php#L94
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
More
2 years 4 months ago #222493 by jelo
Replied by jelo on topic Usage of SVG files for logo

So uploading an SVG logo for in the theme might be possible, while uploading SVG via a file upload question might be made impossible.
 
The attack vector of a malicious SVG-file is when it is displayed in the survey. It's about the backend and how many different survey administrators are on the server doing things.
If you trust the admins on your LimeSurvey installation, you could use SVG. LimeSurvey demands a change in the config-file. A godmode for LimeSurvey, where you get such options via GUI would be a relief.

Other tools are using SVG purifier, which clean the SVG File from Javascript and other payloads.
 
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
More
2 years 4 months ago #222499 by tammo
Replied by tammo on topic Usage of SVG files for logo
Thank you, that seems to be the right direction.

I added:

$config = 'gif,ico,jpg,png,svg'; // Image file types allowed to be uploaded in the themes section.

to my config.php file and tried to upload an SVG as logo for the theme, but ran into the same error as before:

This file is not a supported image format - only the following ones are allowed: GIF,ICO,JPG,PNG

LS 5.2.3
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The topic has been locked.
  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
More
2 years 4 months ago #222500 by tammo
Replied by tammo on topic Usage of SVG files for logo
End of config.php now looks like this:

// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
'debug'=>1,
'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
// Mysql database engine (INNODB|MYISAM):
'mysqlEngine' => 'MYISAM'

, // Update default LimeSurvey config here
$config = 'gif,ico,jpg,png,svg'
)
);
/* End of file config.php */
/* Location: ./application/config/config.php */
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The topic has been locked.
More
2 years 4 months ago #222501 by jelo
Replied by jelo on topic Usage of SVG files for logo
You might look in the config-defaults.php first. There are many different options for uploading images.
Code:
// Please be very careful if you want to allow SVG files - there are several XSS dangerous security issues$config['allowedthemeimageformats'] = 'gif,ico,jpg,png'; // Image file types allowed to be uploaded in the themes section.$config['allowedthemeuploads'] = 'css,js,map,json,eot,otf,ttf,woff,txt,md,xml,woff2,twig'; // Other file types allowed to be uploaded in the themes section.$config['allowedfileuploads'] = [//Documents'xls', 'doc', 'xlsx', 'docx', 'odt', 'ods', 'pdf',//Images - as mentioned above be very careful if you want to allow SVG files'png', 'bmp', 'gif', 'jpg', 'jpeg', 'tif',// Iphone file extensions (version 11 and above)'heif', 'heic', 'heifs', 'heics', 'avci', 'avcs', 'avif', 'avifs',//soundfiles'wav', 'mp3', 'flac', 'aac', 'm4a', 'opus', 'ogg', 'wma', 'mka',//videos'mp4', 'avi', 'mkv', 'mpeg', 'mpg', 'wmv', 'h264', 'h265', 'mov', 'webm', 'divx', 'xvid',];// NB: Allowing XML enables XSS, since XML can be an HTML page.$config['allowedresourcesuploads'] = '7z,aiff,asf,avi,bmp,csv,doc,docx,fla,flv,gif,gz,gzip,ico,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,pxd,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,sitd,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xlsx,zip,css,js'; // File types allowed to be uploaded in the resources sections, and with the HTML Editor$config['allowedpluginuploads'] = 'gif,ico,jpg,png,css,js,map,json,eot,otf,ttf,woff,txt,md,xml,woff2,twig,php,html';
 
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
More
2 years 4 months ago #222502 by tammo
Replied by tammo on topic Usage of SVG files for logo
Thank you. Seems that this somewhat ill documented. I also uploaded an svg to the files directory, but I could not get it visible.

Is there anyone that has made this happen? And how?
Tammo ter Hark at Respondage
For Limesurvey reporting, education and customized themes
respondage.nl
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Away
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
2 years 4 months ago #222505 by DenisChenu
Replied by DenisChenu on topic Usage of SVG files for logo
In 3.X , when this new config option was added, i have a client with SVG file in model that broke survey (totally : can not move next).
I quickly update config.php …

See github.com/LimeSurvey/LimeSurvey/commit/...mmitcomment-45853652 and github.com/LimeSurvey/LimeSurvey/commit/...mmitcomment-45721331
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source