| ▲ | rcxdude 17 hours ago | |||||||
Sanitisation is a tricky process, it can be real easy for something to slip through the cracks. | ||||||||
| ▲ | auxiliarymoose 9 hours ago | parent | next [-] | |||||||
Yes. Much better to handle all untrusted data safely rather than try to transform untrusted data into trusted data. I found this page a helpful summary of ways to prevent SVG XSS: https://digi.ninja/blog/svg_xss.php Notably, the sanitization option is risky because one sanitizer's definition of "safe" might not actually be "safe" for all clients and usages. Plus as soon as you start sanitizing data entered by users, you risk accidentally sanitizing out legitimate customer data (Say you are making a DropBox-like fileshare and a customer's workflow relies on embedding scripts in an SVG file to e.g. make interactive self-contained graphics. Maybe not a great idea, but that is for the customer to decide, and a sanitization script would lose user data. Consider for example that GitHub does not sanitize JavaScript out of HTML files in git repositories.) | ||||||||
| ||||||||
| ▲ | lelandfe 17 hours ago | parent | prev | next [-] | |||||||
Yeah I’ve worked on a few pieces of software now that tried SVG sanitizing on uploads, got hacked, and banned the uploads. | ||||||||
| ▲ | exceptione 17 hours ago | parent | prev [-] | |||||||
I guess it is a matter of parsing svg. Trying to hack around with regex is asking for trouble indeed. | ||||||||