GNOME Bugzilla – Bug 646618
Remote images not supported
Last modified: 2017-06-20 15:33:55 UTC
Created attachment 185024 [details] Simple .svg using <image> element Apparently this *used* to work in older versions of librsvg, but stopped working with the changeover to gio from gnome-vfs. According to http://www.w3.org/TR/SVG/linking.html , "the ‘image’ element must reference any local or non-local resource", so the xlink:href attribute of an <image> element can be a general IRI, not necessarily local. So the attached SVG file should show the referenced image. Using rsvg, it does not, since the switch from gnome-vfs. The call is made in rsvg-image.c to g_filename_from_uri(), but apparently does not honor non-local URIs.
If you create an RsvgHandle out of a local file, we disallow loading references to http resources: we only let you load resources that have the same URI scheme (file://, http://, etc.) as the base file. Otherwise a malicious SVG file could be used to track you. Also, for references to local files, we only allow loading references to files that are in the same directory as the base file, or in a subdirectory. This prevents information leakage attacks if someone sticks "/etc/passwd" as a referenced resource. This also means that you need to set the base file if you want external references to work at all. You can use rsvg_handle_get_base_uri(), or pass the base_file argument to the rsvg_handle_new_from_stream_*() functions.