Project

General

Profile

Actions
Copy link

Defect #42966

open

Replace legacy loader.gif with SVG icon

Added by Mizuki ISHIKAWA 26 days ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
UI
Target version:
6.1.0
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:
6.0.4

Description

This patch replaces the existing loading.gif with an SVG-based loading icon using Tabler Icons' loader-2 (https://tabler.io/icons/icon/loader-2).
The original loading.gif was an animated GIF that rotated, and the SVG replacement replicates this behavior using CSS animation.

Since this change affects various parts of the UI, the update has been split into multiple patches as follows:

0001-Replace-loading-and-hourglass-icons-with-SVG-version.patch

Replaces loading.gif and hourglass.gif shown during file uploads.
Demo:

0002-Replace-autocomplete-input-loading-icon-with-SVG.patch

Replaces loading.gif shown during autocomplete inputs (e.g., parent_id).
Also moves the search icon from inside the input field to outside, consistent with the file upload UI.

Demo:

0003-Replace-ajax-indicator-loading-icon-with-SVG.patch

Replaces loading.gif inside the Ajax indicator element.

0004-Replace-sort-handle-loading-icon-with-SVG.patch

Replaces loading.gif shown in sorting UIs (e.g., Enumerations, Trackers).

0005-Replace-loading-icon-with-SVG-during-CSV-import.patch

Replaces loading.gif shown during CSV import.

Files

Download all files
upload-attachment-file-sample.gif (529 KB) upload-attachment-file-sample.gif Mizuki ISHIKAWA, 2025-07-07 06:57
autocomplete-parent-id-sample.gif (458 KB) autocomplete-parent-id-sample.gif Mizuki ISHIKAWA, 2025-07-07 06:57
0001-Replace-loading-and-hourglass-icons-with-SVG-version.patch (5.84 KB) 0001-Replace-loading-and-hourglass-icons-with-SVG-version.patch Mizuki ISHIKAWA, 2025-07-07 06:57
0002-Replace-autocomplete-input-loading-icon-with-SVG.patch (15.2 KB) 0002-Replace-autocomplete-input-loading-icon-with-SVG.patch Mizuki ISHIKAWA, 2025-07-07 06:58
0003-Replace-ajax-indicator-loading-icon-with-SVG.patch (1.66 KB) 0003-Replace-ajax-indicator-loading-icon-with-SVG.patch Mizuki ISHIKAWA, 2025-07-07 06:58
0004-Replace-sort-handle-loading-icon-with-SVG.patch (2.77 KB) 0004-Replace-sort-handle-loading-icon-with-SVG.patch Mizuki ISHIKAWA, 2025-07-07 06:58
0005-Replace-loading-icon-with-SVG-during-CSV-import.patch (1.05 KB) 0005-Replace-loading-icon-with-SVG-during-CSV-import.patch Mizuki ISHIKAWA, 2025-07-07 06:58
Actions
Copy link
 #1

Updated by Marius BĂLTEANU 26 days ago

  • Assignee set to Marius BĂLTEANU
Actions
Copy link
 #2

Updated by Marius BĂLTEANU 25 days ago

  • Target version set to 6.1.0

Thanks Mizuki for the nice work, I will the patches in the following days.

Actions
Copy link
 #3

Updated by Michael M 23 days ago

hello, just a question, is this a good idea? SVGs are know in the security community as extremely dangerous as they can contain embedded code for remote execution etc. This would create another layer of potential attack for redmine installations.

Just a question.
Some basic information about the issue from CloudFlares blog: https://www.cloudflare.com/en-gb/threat-intelligence/research/report/svgs-the-hackers-canvas/

Actions
Copy link
 #4

Updated by Go MAEDA 2 days ago

Michael M wrote in #note-3:

hello, just a question, is this a good idea? SVGs are know in the security community as extremely dangerous as they can contain embedded code for remote execution etc. This would create another layer of potential attack for redmine installations.

Thank you for raising this point.

However, in this case, Redmine uses only a bundled SVG image that is included in the official Redmine distribution. This image is trusted and does not contain scripts or any malicious contents, as shown in the patch file 0001-Replace-loading-and-hourglass-icons-with-SVG-version.patch.

Therefore, I believe that this series of patches does not pose the kind of risk described in the article.

Actions
Copy link

Also available in: Atom PDF