Canva is committed to improving security across its platform by exploring new ways to safeguard processes and tools. They discovered vulnerabilities in font processing, a less explored aspect of graphics security, building on previous font security research. One surprising finding was the use of SVG formats in digital typography. They discovered security issues in font compression, font collection formats, and CSS parsing. Canva responsibly disclosed the vulnerabilities and worked with maintainers on patches. The importance of handling fonts securely is emphasized, and the need for continued font security research is highlighted. They thank open-source maintainers and encourage collaboration for a more secure font processing landscape.
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/