Hi,
a group of Outdoors contributors is preparing proposed additions to Waymarkedtrails so as to support symbols defined through the wiki:symbol tag. We are hitting security issues and would like to propose to restrain the use of this tag, and at least to leave URLs out.
The wiki:symbol tag is aimed at indicating that the symbol used for a given route must be fetched in SVG format from the OSM wiki. That is very useful for symbols that can’t be approximated with the mini-language offered by osmc:symbol. Other uses of wiki:symbol have been made, including references to PNG files from the OSM wiki, and full fledged URLs to, e.g. Wikipedia.
Loading and rendering arbitrary SVG files from arbitrary URLs can be a security weakness if the rendering app does not deactivate the execution of scripts found in SVG files.
What do you guys say to making this simple and discouraging URLs from appearing in this tag, and apps from supporting them?
13 posts - 6 participants
Ce sujet de discussion accompagne la publication sur https://community.openstreetmap.org/t/discouraging-urls-in-wiki-symbol/102103