Changes to how we handle SVG's

Written by Phil Snow in Writing Room on September 11,2020

We have recently disabled the use of SVGs with the Imgix integration. The reasoning behind this is because of security vulnerabilities with SVGs, in that they can be injected with JS which could cause malicious behavior on your websites. Another reason for this decision is because the Imgix query parameters have no effect on SVGs.

So from now on SVGs will be treated as files rather than images and because of this they will not be delivered from the the domain images.prismic, they will now come from our Amazon servers. The Team thought this change would not result in any breaking changes, but one case we didn’t foresee was people currently with SVGs and query params who update their documents and this is why we didn't communicate this earlier. This is our bad and we should have been more thorough in our testing.

We realize this causes a huge headache for some users. We are trying to perform checks to see how many users may have been affected. We can only apologize about this and promise that we are putting in place processes so that this doesn’t happen again.

What does this mean for you in practical terms?
For any pages that were using SVGs that you want to update, you will need either replace your SVGs with another image format or create a workaround in your web application that checks which server the URL string is coming from and does not apply query params based off of that. Like so...

function modifyImageUrl(imageUrl) {
function includesMatch(lookupValue, urlString) {
const re = new RegExp(lookupValue, 'i');
return urlString.match(re) !== null;
}
if (includesMatch("images.prismic", imageUrl)) {
return `${imageUrl}&h=60&dpr=2`;
}
return imageUrl;
}
const imageUrl = modifyImageUrl(document.data.imageField.url)

We know that this sucks and realize that this may be short notice for some users, but we are working hard to make sure nothing like this will happen again.

Phil Snow

One of the education team, who lives the phrase "every day is a school day".