Is there any way to make user uploaded SVG images safe from code injection etc?

Question

I want to display user uploaded SVG images on a website, but they're quite open to exploits:

• https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
• https://security.stackexchange.com/questions/36447/img-tag-vulnerability

For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority.

Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust <img src="/media/user-uploaded-image.svg" />?

Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?

Answer 1

Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?

They serve the uploaded files from a separate hostname, specifically upload.wikimedia.org. You can cross-site-script into there all you like but it doesn't get you anything: it lives in a different origin to en.wikipedia.org and can't touch its cookies or interact with its script.

This is ultimately the only airtight way to handle file uploads, and what most of the big players do. It is just too difficult to do a thorough scan for all the many obscure XSS possibilities that exist when you allow arbitrary files.

Can I simply trust <img src="/media/user-uploaded-image.svg" />?

It doesn't really matter what <img> does—the user can simply be navigated directly to the SVG address and it'll execute script full-page in the site's origin.

Answer 2

If you embed SVGs as an <image> it shouldn't be able to execute scripts. See here: https://www.w3.org/wiki/SVG_Security

Of course you can also parse the document before processing and apply the same filters and regex you would apply to an html file.