Python CGI脚本拒绝包含数据URI的数据（403）

Question

I have a webapp that creates small images using SVG and I want it to be able to save these images to the server and then load them again (as innerHTML of a SVG element). Using ajax, I send the svg's inner HTML to my server side Python script, which looks more or less like this:

#!/usr/bin/python
import cgi

data=cgi.FieldStorage()
filename=data.getfirst('filename')
svg=data.getfirst('svg')

f = open('/filepath/'+filename,'w')
f.write(svg)
f.close()

The ajax call looks like this:

function savetoserver() {
    var filename=$('#savename').val()
    var svg = document.getElementById("svg_element").innerHTML

    dictionary={'svg':svg,'filename':filename}

    $.ajax({
        url:'http://myserver.com/savetoserver.py',
        type: 'post',
        datatype: 'html',
        data: dictionary,
        success: function(response){
            closedialog()
        }
    })
}

This all works great for simple inputs. However, if my SVG has a data URI of any sort in it, it fails, and the script returns 403 (forbidden). Unfortunately, I kinda want to pass it data URIs. In some cases a small image is placed inside the SVG and in almost all cases there are fonts embedded in the SVG as base64 data URIs.

From what little I can find out from Googling, it seems like this is a security issue, to prevent attacks on the server via data URI. Is there a standard alternative available to me that will allow me to store this data and not upset Python/Apache/whoever is being upset?

Answer 1

I am not exactly sure how your svg variable looks like (I am guessing 'some text' + URI) In any case you may want to use encodeURIComponent() which encodes special characters in your URI.

So, you may try to split your svg into 'text part' and 'URI' part (using split() for example) and then send it in ajax request with updated dictionary, where svg variable will be something like 'some text' + encodeURIComponent('URI')