| ▲ | poorman 20 hours ago |
| All SVGs should be properly sanitized going into a backend and out of it and when rendered on a page. Do you allow SVGs to be uploaded anywhere on your site? This is a PSA that you're probably at risk unless you can find the few hundred lines of code doing the sanitization. Note to Ruby on Rails developers, your active storage uploaded SVGs are not sanitized by default. |
|
| ▲ | nradov 19 hours ago | parent | next [-] |
| Is there SVG sanitization code which has been formally proven correct and itself free of security vulnerabilities? |
|
| ▲ | codedokode 6 hours ago | parent | prev | next [-] |
| It would be better if they were sanitized by design and could not contain scripts and CSS. For interactive pictures, one could simply use HTML with inline SVG and scripts. |
|
| ▲ | poorman 20 hours ago | parent | prev | next [-] |
| GitLab has some code in their repo if you want to see how to do it. |
| |
|
| ▲ | rcxdude 17 hours ago | parent | prev | next [-] |
| Sanitisation is a tricky process, it can be real easy for something to slip through the cracks. |
| |
| ▲ | auxiliarymoose 9 hours ago | parent | next [-] | | Yes. Much better to handle all untrusted data safely rather than try to transform untrusted data into trusted data. I found this page a helpful summary of ways to prevent SVG XSS:
https://digi.ninja/blog/svg_xss.php Notably, the sanitization option is risky because one sanitizer's definition of "safe" might not actually be "safe" for all clients and usages. Plus as soon as you start sanitizing data entered by users, you risk accidentally sanitizing out legitimate customer data (Say you are making a DropBox-like fileshare and a customer's workflow relies on embedding scripts in an SVG file to e.g. make interactive self-contained graphics. Maybe not a great idea, but that is for the customer to decide, and a sanitization script would lose user data. Consider for example that GitHub does not sanitize JavaScript out of HTML files in git repositories.) | | | |
| ▲ | lelandfe 17 hours ago | parent | prev | next [-] | | Yeah I’ve worked on a few pieces of software now that tried SVG sanitizing on uploads, got hacked, and banned the uploads. | |
| ▲ | exceptione 17 hours ago | parent | prev [-] | | I guess it is a matter of parsing svg. Trying to hack around with regex is asking for trouble indeed. |
|
|
| ▲ | ivw 20 hours ago | parent | prev [-] |
| just run them through `svgo` and get the benefits of smaller filesizes as well |
| |
