hi @puzrin , please verify and validate the issue
https://huntr.dev/bounties/1e6dac4d-e64e-4e4c-af5d-48224b75850d

If you have valuable info, please post it here. I'm not familiar with huntr and have no idea why should register there.

Hi @puzrin , huntr is an opensoure bug bounty platform ,so if you validate the bug there I will be able to receive a small amount of bounty

I've logged in via github, but can not confirm repo ownership to see bug details. Sorry, but i can not continue spend time for that with unclear reason.

If you have something really valuable about pica - please post directly in this issue tracker. If posted info is not a garbage - i promise to spend time for huntr and make your report there confirmed.

I will talk to huntr and make sure you will be able to view the report, the bug is all about an XSS and SSRF during rendering of an SVG file, you can fix it by loading svg file data as base hashes or while trying to load an svg file consider it as a binary and make it auto downloadable other than viewing the file ,
Thanks for your response @puzrin <3

I'm not sure i understand you right. Pica works with canvas (raster) OR with image object, draw-able to cancas. There are should be no room for XSS/SSRF.

If you speak about demo page - it's a quick-done crappy code to demonstrate features, and nobody cares about it's quality.

oh ok then i think its all about the demo page , sorry for wasting your time, i will close the report