On Sun, Feb 10, 2013 at 9:16 AM, Dirk Schulze <dschulze@adobe.com> wrote:
> At WebKit, we decided that we could not predict possible security issues
> with allowing arbitrary content on glyphs at the time of implementing SVG
> Fonts. Even if it looks like we have a somehow trustable security concept,
> it sounds like an unnecessary risk. In general I would like to limit the
> graphical elements to basic shapes. I am not even sure if <text> would make
> a lot of sense on a glyph, but it might be ok. It would require a font,
> which most likely is an external resource so.
>
We decided to make the restrictions on SVG glyphs be exactly the same as
the restrictions on SVG images. We've seen no reason to believe there are
any additional security issues for SVG glyphs.
Rob
--
Wrfhf pnyyrq gurz gbtrgure naq fnvq, “Lbh xabj gung gur ehyref bs gur
Tragvyrf ybeq vg bire gurz, naq gurve uvtu bssvpvnyf rkrepvfr nhgubevgl
bire gurz. Abg fb jvgu lbh. Vafgrnq, jubrire jnagf gb orpbzr terng nzbat
lbh zhfg or lbhe freinag, naq jubrire jnagf gb or svefg zhfg or lbhe fynir
— whfg nf gur Fba bs Zna qvq abg pbzr gb or freirq, ohg gb freir, naq gb
tvir uvf yvsr nf n enafbz sbe znal.” [Znggurj 20:25-28]