8

We are using Apache Batik to render SVG files. For security reasons, all the URLs are converted to HTTP.

Now, when we are rendering the SVG files, we get this issue.

  • Original SVG is: 

    svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"

  • Converted SVG is: 

    svg xmlns=\"https://www.w3.org/2000/svg\" xmlns:xlink=\"https://www.w3.org/1999/xlink\"

So, I tried with Dhttps.protocols parameter from Java, no good. I'm digging source code for this.

Ravipati Praveen
  • 366
  • 5
  • 24
  • 4
    "Security reasons all the urls are converted to http" you're kidding right? You can only "convert" urls that you control yourself, you cannot convert other people's urls if they don't support https. And in this case, namespace urls are just identifiers, not used to retrieve data (although often something related to the namespace is hosted at the url for convenience, but not because it is necessary) – Erwin Bolwidt Sep 19 '16 at 13:54
  • 4
    The strings inside xmlns attributes are **not real URLs**. They are really just predefined constants that allow parsers to identify the namespace of XML elements. You should not change them. – Paul LeBeau Sep 19 '16 at 15:05
  • 2
    (I assume you meant "to HTTPS" instead of "to HTTP" in the first sentence?) – unor Aug 29 '17 at 22:02
  • 1
    See also: [XML Namespace URI with HTTPS?](https://stackoverflow.com/q/30707609/1591669) – unor Aug 29 '17 at 22:02

1 Answers1

15

Don't change the URLs for namespace definitions. These are the attributes starting with xmlns, optionally followed by a : and a more detailed name.

For SVG, the namespace must be http://www.w3.org/2000/svg, see the specification.

These URLs are not used for connecting to, they just define what the elements mean (see XML Namespaces), so you're not gaining any security by changing them. Instead you're just making your SVG file invalid.

davidsheldon
  • 32,393
  • 4
  • 25
  • 27