Block SVG files by default #65

Closed
opened 1 year ago by tag9724 · 3 comments
tag9724 commented 1 year ago (Migrated from github.com)
Owner

SVG files can contain and execute Javascript code ( also CSS and HTML ) opening the server to XSS attacks.

Example of SVG file

<svg xmlns="http://www.w3.org/2000/svg">

	<foreignObject>

		<script>
			alert("JS code inside SVG file !");
		</script>

	</foreignObject>

</svg>

Tested it and it worked on uguu.se -> https://a.uguu.se/lQGskjE.svg

image

SVG files can contain and execute Javascript code ( also CSS and HTML ) opening the server to XSS attacks. ## Example of SVG file ```svg <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject> <script> alert("JS code inside SVG file !"); </script> </foreignObject> </svg> ``` > Tested it and it worked on uguu.se -> https://a.uguu.se/lQGskjE.svg > > ![image](https://user-images.githubusercontent.com/1997780/117560127-5cdf1a80-b08b-11eb-8584-586fecbdde9c.png)
neku commented 1 year ago
Owner

Thanks for bringing this to my attention, I usually block file types once people actually start abusing them but let's be proactive for once.

I'll add this to the blacklist, wondering if one can specify e.g nginx to only serve svg as an image rather than with embedded shit... Probably not.

Thanks for bringing this to my attention, I usually block file types once people actually start abusing them but let's be proactive for once. I'll add this to the blacklist, wondering if one can specify e.g nginx to only serve svg as an image rather than with embedded shit... Probably not.
0xpr03 commented 8 months ago (Migrated from github.com)
Owner

FYI: you can use things like https://packagist.org/packages/enshrined/svg-sanitize
Otherwise you'd have to iframe that and disable scripts in it. Though it would be nice to share SVGs with other people.

FYI: you can use things like https://packagist.org/packages/enshrined/svg-sanitize Otherwise you'd have to iframe that and disable scripts in it. Though it would be nice to share SVGs with other people.
Owner

I'll look into it, I agree that being able to upload svg's would be nice.

I'll look into it, I agree that being able to upload svg's would be nice.
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.