Patch #42966
closed
Replace legacy loader.gif with SVG icon in attachment upload form and in ajax indicator
0%
Description
This patch replaces the existing loading.gif with an SVG-based loading icon using Tabler Icons' loader-2 (https://tabler.io/icons/icon/loader-2).
The original loading.gif was an animated GIF that rotated, and the SVG replacement replicates this behavior using CSS animation.
Since this change affects various parts of the UI, the update has been split into multiple patches as follows:
0001-Replace-loading-and-hourglass-icons-with-SVG-version.patch
Replaces loading.gif and hourglass.gif shown during file uploads.
Demo: 
0002-Replace-autocomplete-input-loading-icon-with-SVG.patch
Replaces loading.gif shown during autocomplete inputs (e.g., parent_id).
Also moves the search icon from inside the input field to outside, consistent with the file upload UI.
Demo: 
0003-Replace-ajax-indicator-loading-icon-with-SVG.patch
Replaces loading.gif inside the Ajax indicator element.
0004-Replace-sort-handle-loading-icon-with-SVG.patch
Replaces loading.gif shown in sorting UIs (e.g., Enumerations, Trackers).
0005-Replace-loading-icon-with-SVG-during-CSV-import.patch
Replaces loading.gif shown during CSV import.
Files
Related issues
Updated by Marius BĂLTEANU 3 months ago
- Target version set to 6.1.0
Thanks Mizuki for the nice work, I will the patches in the following days.
Updated by Michael M 2 months ago
hello, just a question, is this a good idea? SVGs are know in the security community as extremely dangerous as they can contain embedded code for remote execution etc. This would create another layer of potential attack for redmine installations.
Just a question.
Some basic information about the issue from CloudFlares blog: https://www.cloudflare.com/en-gb/threat-intelligence/research/report/svgs-the-hackers-canvas/
Updated by Go MAEDA about 2 months ago
Michael M wrote in #note-3:
hello, just a question, is this a good idea? SVGs are know in the security community as extremely dangerous as they can contain embedded code for remote execution etc. This would create another layer of potential attack for redmine installations.
Thank you for raising this point.
However, in this case, Redmine uses only a bundled SVG image that is included in the official Redmine distribution. This image is trusted and does not contain scripts or any malicious contents, as shown in the patch file 0001-Replace-loading-and-hourglass-icons-with-SVG-version.patch.
Therefore, I believe that this series of patches does not pose the kind of risk described in the article.
Updated by Marius BĂLTEANU 3 days ago
- Subject changed from Replace legacy loader.gif with SVG icon to Replace legacy loader.gif with SVG icon in attachment upload form and in ajax indicator
Updated by Marius BĂLTEANU 3 days ago
- Tracker changed from Defect to Patch
- Affected version deleted (
6.0.4)
Updated by Marius BĂLTEANU 3 days ago
- Related to Patch #43219: Replace legacy loader.gif with SVG icon in autocomplete input added
Updated by Marius BĂLTEANU 3 days ago
- Status changed from New to Resolved
I've committed only the first and the third patch, thanks!
For the second and for the fourth I've opened new issues to handle them in 7.0.0. I don't think that adding so many JS lines just to handle the loader is worth it.
For the last one, I'm not able to reproduce the change.