From 00c26e9c7c2be4fcaa99bbd97f8748b09444d7dd Mon Sep 17 00:00:00 2001
From: zmister <zmister@qq.com>
Date: Fri, 3 Sep 2021 10:27:03 +0800
Subject: [PATCH] =?UTF-8?q?=E9=BB=98=E8=AE=A4=E7=A6=81=E6=AD=A2=E4=B8=8A?=
 =?UTF-8?q?=E4=BC=A0SVG=E6=A0=BC=E5=BC=8F=E5=9B=BE=E7=89=87=EF=BC=8C?=
 =?UTF-8?q?=E4=BB=A5=E9=81=BF=E5=85=8Dsvg=E5=9B=BE=E7=89=87=E7=9A=84xss?=
 =?UTF-8?q?=E6=94=BB=E5=87=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGES.md        | 1 +
 MrDoc/settings.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 0206c6e7e..8518bfecc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -3,6 +3,7 @@
 ### v0.7.1 2021-09
 
 - [修复]用户上传文件中yaml加载的安全漏洞；
+- [优化]默认禁止上传SVG图片（有安全风险）；
 
 
 ### v0.7.0 2021-08-31
diff --git a/MrDoc/settings.py b/MrDoc/settings.py
index a057d0293..871757ce4 100644
--- a/MrDoc/settings.py
+++ b/MrDoc/settings.py
@@ -195,7 +195,7 @@
 MEDIA_ROOT = os.path.join(BASE_DIR,'media')
 
 # 允许上传的图片后缀
-ALLOWED_IMG = CONFIG.get("image_upload","suffix_name",fallback="jpg,jpeg,gif,png,bmp,webp,svg").split(",")
+ALLOWED_IMG = CONFIG.get("image_upload","suffix_name",fallback="jpg,jpeg,gif,png,bmp,webp").split(",")
 
 
 REST_FRAMEWORK = {