SVG Out for Confluence Cloud

What is it?

The SVG Out Cloud Confluence app closes a gap you might have discovered when including SVGs in your Confluence pages. Confluence is able to show and scale SVGs as images but it is not possible to use the links which might be included in the SVG. This app renders the SVG such that the links are still working. Furthermore it allows you to add links or replace the existing links in the SVG by Confluence links which are automatically updated when the content moves.

In addition the plugin offers the following functionality:

  • scale the SVG (independent in x- any y-direction)

  • cut out a region to show

  • align the image (left, center, right)

  • show/replace tool tips (only in case the link replacement functionality is used)

  • pan and zoom (including touch devices)

  • dynamic content within the SVGs (with some limitations)

  • export to PDF and Word

Security considerations

In order to allow functional links and sometimes even more (like dynamic SVGs with embedded JavaScript) SVG Out embeds the SVGs as they are and not in an img-tag. An attacker might manipulate SVGs in a way that they contain malicious code which can result in cross-site-scripting (XSS). SVG Out has (if not turned off by you) security scanners in place to minimize that risk - however they can’t eliminate the risk completely. Please consider this when using the app.

Legal and policy documents

The following legal documents apply for all of our apps:

Configuration

On the “Manage apps” screen of your Cloud instance expand the SVG Out Cloud app and click “Configure”

On the configuration screen you can select a security scanner, white-list SVGs in case you use the internal scanner and define whether PNG exports of SVGs for export are turned on or off per default.

Selecting a security scanner

The following security settings regarding the scanner are possible:

Internal scanner

The internal scanner checks SVGs before embedding them. In case it detects something questionable a warning is shown instead of the SVG asking an admin to whitelist the SVG after checking the SVG. Once whitelisted the SVG is shown - this option allows dynamic SVGs which contain JavaScript code inside script-tags. You can see an example here.
Please note that the internal scanner does not allow JavaScript outside script-tags as of 2022-09-04.

DOMPurify

Using this “scanner” all dangerous elements are removed from the SVG before embedding it. This option is the most secure one but does not allow the usage of dynamic SVGs and also limits some other SVGs like the ones using foreign objects (e.g. SVGs created by http://draw.io).

Please not that we use DOMPurify as it is. In case a SVG does not work as intended it will stay like this. We don’t and will likely never modify the behaviour of this tool.

No security scanner

Selecting this option turns of all security scanners. This option is not secure!

Switching between security scanners

You may switch between different security scanners. However links added to the app using one security scanner might stop working under the other security scanner in case you added links to elements not holding their own id. This is because DOMPurify removes elements which result in a different numbering.

Whitelisting of SVGs

In case you selected the internal scanner you can white-list SVGs by entering the SHA hash shown on the page where you embedded the SVG.

It is advisable to give the hash a name so that you can remember what it was like

clock:a46baffd1595006b2d9ae7c6e43e5b5841f542bc048139361a8630ae0799f851

Export settings

Under export settings you currently have only one option: turn the default PNG generation on or off.

The PDF export can’t embed SVGs directly therefore the app converts them to PNGs and saves them as attachment on the page

Usage

The app offers two macros. One to show SVGs in a block the other one to show SVGs inline (or kind of inline). Both have the same set of parameters.

  • SVG File: The filename of the SVG file to be rendered. The dropdown list allows you to select from all SVGs matching your search term.

  • Width in percent of the original size (%), absolute width in px (px) or percent of the available width (%%) (examples: 100%, 300px, 80%%). Tips: you can only specify the width - the height is adopted accordingly. In case you specify %% the image will automatically scale to the given percentage of the available width - e.g. it will shrink when the browser window shrinks.

  • Height in percent of the original size or absolute height in px (examples: 100%, 300px). Tip: you can only specify the height - the width is adopted accordingly.

  • Horizontal orientation of the image (left, center, right).

  • Border: check this to show a black border around the image

  • Allow unsafe inline code and evaluations: in case this option is checked SVGs with unsafe inline code and evaluations are still allowed (in combination with the internal security scanner). In case you activate this option an admin might need to whitelist the SVG again.
    We only recommend to use this option in case you can’t clean your SVG from inline code.

  • Left edge: value in % of the width where the piece you want to see starts

  • Top edge: value in % of the height where the piece you want to see starts

  • Right edge: value in % of the width where the piece you want to see ends

  • Bottom edge: value in % of the height where the piece you want to see ends

The following picture should help to understand the crop values:

Negative values for the left edge or the top edge and values above 100% for the right edge or bottom edge will result in a frame around the SVG in the background color.

  • Pan and zoom active from start: when checked pan and zoom is already active when the user starts to watch a page. However when e.g. the mouse is in the region of SVG and the user uses the mouse wheel the image is zoomed rather than the page is scrolled. Therefore you can configure whether pan and zoom is active from the beginning. When not checked the user has to click inside the SVG (outside any link!) to activate pan and zoom or use a zoom button if present. As this is not a standard behavior you may need to provide instructional text in your Confluence page.

  • Show zoom buttons: show zoom buttons (+, - and reset) under the image. The zoom buttons are only shown in case pan & zoom is enabled.

  • Use mouse wheel: allow the user to use the mouse wheel for zooming.

  • Maximum zoom level: the maximum zoom level the user can zoom in

  • Minimum zoom level: the minimum zoom level the user can zoom out

  • Include in export: when checked a PNG version of the SVG will be generated which is used for PDF/Word export

  • Raster resolution: a relative value indicating how good (and how big) a SVG should be rasterized (converted to a PNG). Example: a SVG with a width of 200px an

  • Highlight links permanently: when checked links in the SVG will be highlighted by a gray dotted line around them

  • Highlight links on hover: when checked the element holding the link is highlighted when the mouse hovers over it

You can add links to SVG elements or replace existing links in the SVG. You can either link to Confluence content or external links.

Please follow the following steps to add or replace a link:

  1. Add a new list entry by pressing the Add button.

  2. Turn on the selection mode by clicking the  symbol.

  3. Select the SVG element to which you want to attach the link to by clicking on the element. The "Element / Id link" field will show the type of the element (e.g. rect, path) followed by the Id of the element. In case you have multiple elements stacked on top of each other keep on clicking at the same position until you get the right type of element. In case you hit an existing link the "Element / Id link" will show existing link (the existing link might not be the first one to show - just keep on clicking).

  4. Select the type of link from the drop-down list.

  5. Add an additional anchor if you want. Tip: this can be very useful when you want to link to a specific heading in a Confluence page. More information can be found here.

  6. Add a tool tip if you want - a tool tip is shown is shown when the mouse hovers over the link.

  7. In case you want to add more links start again from 1. skipping 2. - in case you want to see the results (e.g. the tooltips) turn off the link selection mode by pressing the   symbol again.

Please consider the following when adding / replacing links:

  • As indicated under point 3 you might need to click multiple times to get to the element you really want to attach the link to. Example: In case you do not want to select a single rectangle but the group which contains the rectangle you will see that the rectangle is selected first and when you click a second time the group is selected. You will see the text "Element Id / link" changing from id:rect-... to id:g-... where "g" indicates the SVG tag name for a group.

  • In case you are having SVGs with embedded foreignObjects please ensure that you add the link to the foreignObject or switch element on top of it not any element in the foreignObject.

  • The element selection mode is limited to the selection of a single element. It does not support the selection of multiple elements nor does it have a functionality to add groups etc. In case you have a rectangle (rect) which contains a text (text) which are not grouped in the SVG and you want to have to link on the rectangle and the text you have to add the link to rectangle and the text.

  • In case your SVG elements don’t contain Ids they are added by the app dynamically. However the Ids might change e.g. under the following conditions which make added links unusable:

    • You add or remove elements from the SVG.

    • You are switching from the Internal Scanner to DOMPurify or vice versa.

Frequent support cases

Observation/Question

Explanation/Answer

Observation/Question

Explanation/Answer

Migration from Server / Data Center to Cloud

Please check Purde Software Cloud migration status

My SVG does not look as intended

Please check how you SVG looks when opening it in the browser. SVG Out can’t display it in a different way than your browser.

The SVG is not shown but a negative security check

In case your admin decided to use the internal security scanner some SVGs must be white-listed before they can be shown. This action must be performed by an admin as indicated here.

Dynamic parts of my SVG are not functioning.

In case dynamic parts are not executed multiple causes could apply:

  1. You are using DOMPurify as security scanner (actively selected or per transition on 2022-09-04).

  2. Your dynamic content is not inside script tags - this type of content has/will stop working from 2022-09-04 as indicated here

We continuously amend this list.

Known limitations

  1. In exports SVGs are rendered as PNGs in the resolution you defined.

Getting support

Please use our ticketing system to create a support ticket regardless whether you found a bug, have a feature request or questions.