Correct validation for SVG files uploaded into Marketo Engage

Correct validation for SVG files uploaded into Marketo Engage

As someone working within Marketo's Design Studio section, I often find myself leaning on a tool called Adobe Illustrator to design SVG images.

 

You may have heard of it.

 

Unfortunately, when validation rules were set up to check SVG files in Marketo Engage's Images and Files section, a mistake seems to have been made. When you use the default SVG Export Plugin, which Illustrator very much points you towards, the output contains xlink code. This is most commonly noted in the opening tags (xmlns:xlink, xml:space), but it also rejects any code within the SVG that is intentionally using xlink! For example, I have had to replace

<clipPath id="SVGID_2_">
    <use xlink:href="#SVGID_1_"  style="overflow:visible;"/>
</clipPath>

 with alternate options—effectively making me redraw the entire graphic. While the community has offered some stopgap ways to address this (spoof a different MIME type, use one very specific form of SVG output), this is really counter-intuitive from a company that owns both products. 

 

I also want to emphasize that, from an infosec point of view, I completely understand why xlink has been treated this way; however, a better experience would involve accepting the SVG upload, then sanitizing the output before it's stored in Marketo. There are plenty of SVG options for doing this. This makes especially little sense when the xlink is not leaving the SVG document itself.