Add URL parameter support to SVG renderer

[simonw]

• Page now accepts ?url= query parameter to fetch and display a remote SVG on page load
• "Load example image" link changed to use ?url= parameter, causing a full page reload instead of a JS click handler
• URL parameter takes precedence over hash fragment if both are present
• When ?url= is present, hash is not updated with SVG content (URL already references the source)

---

Modify svg-render.html such that it accepts a ?url=... URL to a SVG hosted somewhere and if the page loads with that it does a fetch() to get that data and display it and the existing "Load example image" link becomes a link to ?url=https://gist.githubusercontent.com/simonw/aedecb93564af13ac1596810d40cac3c/raw/83e7f3be5b65bba61124684700fa7925d37c36c3/tiger.svg which reloads the whole page (so no JS click event)

[claude]

Claude finished @simonw's task —— View job

---

Code Review for SVG URL Parameter Support

Reviewing the PR that adds URL parameter support for loading remote SVGs.

Todo List

• Read and analyze the modified svg-render.html file
• Review code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Assess security concerns
• Consider test coverage implications
• Provide comprehensive feedback

---

Code Quality and Best Practices ✅

Positive aspects:

• Clean separation of concerns with the new loadFromUrlParamIfPresent() function
• Proper error handling with try-catch and meaningful error messages
• Good prioritization logic: URL parameter takes precedence over hash fragment (lines 405-408)
• Consistent code style matching the existing codebase
• Clear function naming and logical flow

Suggestions for improvement:

• Consider extracting URL validation logic into a separate function for reusability
• The function could benefit from JSDoc comments explaining the URL parameter behavior

Potential Bugs and Issues ⚠️

Critical Security Issue:

• SSRF Vulnerability (lines 195-209): The code fetches from any URL without validation. This allows:
  • Requests to internal networks (localhost, private IPs)
  • Port scanning of internal services
  • Potential data exfiltration through error messages

Recommended fixes:

function validateSvgUrl(url) {
    try {
        const urlObj = new URL(url);
        // Only allow HTTPS URLs from external domains
        if (urlObj.protocol !== 'https:') {
            throw new Error('Only HTTPS URLs are allowed');
        }
        // Block localhost and private IPs
        if (urlObj.hostname === 'localhost' || 
            urlObj.hostname.startsWith('127.') ||
            urlObj.hostname.startsWith('192.168.') ||
            urlObj.hostname.startsWith('10.') ||
            /^172\.(1[6-9]|2\d|3[01])\./.test(urlObj.hostname)) {
            throw new Error('Local and private IP addresses are not allowed');
        }
        return true;
    } catch (e) {
        throw new Error('Invalid URL: ' + e.message);
    }
}

Minor Issues:

• No Content-Type validation - should verify response is SVG-like
• No size limits on fetched content could lead to memory issues
• Error messages might leak information about network topology

Performance Considerations 💡

Good practices:

• Proper cleanup with URL.revokeObjectURL() (line 346)
• Debounced input handlers prevent excessive re-renders (lines 169-187)

Potential improvements:

• Consider adding timeout to fetch requests
• Could implement caching for frequently accessed URLs
• Add loading indicator for network requests

Security Concerns 🔒

High Priority:

1. SSRF vulnerability as mentioned above - most critical issue
2. XSS potential: No SVG content sanitization - malicious SVGs could contain scripts
3. Content validation: Should verify response Content-Type is image/svg+xml

Medium Priority:

• Consider implementing Content Security Policy headers
• Add rate limiting for URL fetching to prevent abuse

Test Coverage Considerations 🧪

The application would benefit from tests covering:

• URL parameter parsing and validation
• Error handling for network failures
• Security validations (blocked URLs, invalid content types)
• Hash vs URL parameter precedence logic
• SVG content validation and sanitization

Test scenarios to consider:

// URL validation tests
testBlockedUrls(['http://localhost/', 'https://192.168.1.1/', 'https://10.0.0.1/'])
testAllowedUrls(['https://example.com/test.svg'])

// Error handling tests  
testNetworkError('https://nonexistent.example.com/test.svg')
testInvalidContentType('https://example.com/notsvg.txt')

// Precedence tests
testUrlOverridesHash('?url=https://example.com/a.svg#different-content')

Overall Assessment 📊

Strengths:

• Clean implementation of the URL parameter feature
• Good integration with existing hash-based loading
• Proper error handling and user feedback

Critical Issues to Address:

• SSRF vulnerability must be fixed before merging
• Consider SVG content sanitization
• Add Content-Type validation

Recommendation: This is a useful feature but requires security hardening before it can be safely deployed. The SSRF vulnerability is a serious security risk that could allow attackers to probe internal networks.

---