top | item 46317948

(no title)

poorman | 2 months ago

All SVGs should be properly sanitized going into a backend and out of it and when rendered on a page.

Do you allow SVGs to be uploaded anywhere on your site? This is a PSA that you're probably at risk unless you can find the few hundred lines of code doing the sanitization.

Note to Ruby on Rails developers, your active storage uploaded SVGs are not sanitized by default.

discuss

nradov|2 months ago

Is there SVG sanitization code which has been formally proven correct and itself free of security vulnerabilities?

codedokode|2 months ago

It would be better if they were sanitized by design and could not contain scripts and CSS. For interactive pictures, one could simply use HTML with inline SVG and scripts.

poorman|2 months ago

GitLab has some code in their repo if you want to see how to do it.

jdironman|2 months ago

This is what they actually use: https://github.com/flavorjones/loofah

rcxdude|2 months ago

Sanitisation is a tricky process, it can be real easy for something to slip through the cracks.

auxiliarymoose|2 months ago

Yes. Much better to handle all untrusted data safely rather than try to transform untrusted data into trusted data.

I found this page a helpful summary of ways to prevent SVG XSS: https://digi.ninja/blog/svg_xss.php

Notably, the sanitization option is risky because one sanitizer's definition of "safe" might not actually be "safe" for all clients and usages.

Plus as soon as you start sanitizing data entered by users, you risk accidentally sanitizing out legitimate customer data (Say you are making a DropBox-like fileshare and a customer's workflow relies on embedding scripts in an SVG file to e.g. make interactive self-contained graphics. Maybe not a great idea, but that is for the customer to decide, and a sanitization script would lose user data. Consider for example that GitHub does not sanitize JavaScript out of HTML files in git repositories.)

lelandfe|2 months ago

Yeah I’ve worked on a few pieces of software now that tried SVG sanitizing on uploads, got hacked, and banned the uploads.

exceptione|2 months ago

I guess it is a matter of parsing svg. Trying to hack around with regex is asking for trouble indeed.

ivw|2 months ago

just run them through `svgo` and get the benefits of smaller filesizes as well

silverwind|2 months ago

svgo is a minifier, not a sanitizer.