WingNews logo WingNews
top | item 46165920

(no title)

umvi | 2 months ago

SVGs have a lot of security landmines; it's simplest to just disallow them, especially if they are untrusted (user provided)

discuss

order

tripplyons|2 months ago

Definitely! In 2020, I reported an XSS vulnerability in GitLab using the onLoad attribute to run arbitrary JavaScript, and I was able to perform user actions without requiring any user interaction. For some reason it took them months to fix it after I reported it to them.