Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Handling of character references in an embedded SVG's script tags

Tags:

javascript

html

xss

svg

This is a xss script: 

<svg><script>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg>

The code between <script> tags will be translated to alert(1) by the browser and executed.

But if I don't use a <svg> tag the code won't be translated to script. Can anyone tell me why this happens? How does <svg> tag work?

like image 713
n3v3rm03 Avatar asked Jun 20 '15 10:06

n3v3rm03

People also ask

How to get a reference to an embedded SVG document?

to get a reference to an embedded SVG document instead. The best way to get access to the Document representing an SVG document is to look at HTMLIFrameElement.contentDocument (if the document is presented in an <iframe>) or HTMLObjectElement.contentDocument (if the document is presented in an <object> element), like this:

What is a SVG script element?

A SVG script element is equivalent to the script element in HTML and thus is the place for scripts (e.g., ECMAScript).

How do I reference an SVG file without a fragment?

If you want to reference a whole SVG file, SVG 2 (when implemented in browsers) will allow to reference another SVG file without any fragment identifier: New in SVG 2: An href without a fragment allows an entire SVG document to be referenced without having to ensure that it has an ID on its root element.

How do I access the content of an SVG document?

The best way to get access to the Document representing an SVG document is to look at HTMLIFrameElement.contentDocument (if the document is presented in an <iframe>) or HTMLObjectElement.contentDocument (if the document is presented in an <object> element), like this:

1 Answers

The use of character references within script tags is explicitly disallowed by the HTML parser according to the HTML 5 specification.

HTML5 has a separate script parsing mode as one of a number of tokenisation modes that vary with context. Script parsing does not allow character references, some of the other parsing modes do.

SVG is based on XML where the rules are much simpler and more straightforward. Basically character references are allowed anywhere because there aren't different context sensitive parsing modes.

For SVG in html, the HTML specification says

The svg element from the SVG namespace falls into the embedded content, phrasing content, and flow content categories for the purposes of the content models in this specification.

In other words, parse all SVG text as phrasing content. All SVG is a single custom tokenisation mode for the HTML 5 parser.

like image 118
Robert Longson Avatar answered Oct 24 '22 05:10

Robert Longson
Sign in to Comment

Related questions

Use camera for both native and web app with Ionic/AngularJS and Cordova
How do I "think in QUnit" with my own JavaScript libraries?
How can I get the browser scrollbar height in javascript
window print method is not working in ipad chrome browser
moment.js isAfter performance
Handling successful payment processing but database update failure
How can I use grunt-uncss with an AngularJS application?
ES6 module concatenation
HTML5 segment color?
How to use onclick with a function expression rather than a declared function?
Ionic ion-content not scrolling down when keyboard shows (Android)
Get ClientId of control in Repeater
Stuck with Slick Carousel "Center mode"
emberjs get all form fields / values at once
Angular ui-select tagging lose text input on blur
Pasting from a file browser and HTML5 Clipboard API
Babelify sourceType error when used programmatically
Javascript static methods vs prototypal/instatiated methods on performance
How to save page state during close
Use "5 days ago (Tue)" if within the last week in moment.js

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!