I want to display user uploaded SVG images on a website, but they're quite open to exploits:
For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority.
Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust <img src="/media/user-uploaded-image.svg" />
?
Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
However, SVG images come with some significant disadvantages. They can possibly be a security hazard, and it's not unusual for SVG files to contain viruses. Here's an explanation from Trustwave: Scalable Vector Graphics or SVG is a vector graphic image file defined using XML-based format …
If you're a developer working with SVG or HTML files, ensuring proper security should be your top priority. Malicious code in the form of viruses and malware can infect nearly any file type.
One of the downsides to using SVG files, and the primary reason this file type has not yet been incorporated into WordPress core, is due to security issues. Since SVG files are XML-based, they are vulnerable to External Entity attacks, among other risks.
Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
They serve the uploaded files from a separate hostname, specifically upload.wikimedia.org
. You can cross-site-script into there all you like but it doesn't get you anything: it lives in a different origin to en.wikipedia.org
and can't touch its cookies or interact with its script.
This is ultimately the only airtight way to handle file uploads, and what most of the big players do. It is just too difficult to do a thorough scan for all the many obscure XSS possibilities that exist when you allow arbitrary files.
Can I simply trust
<img src="/media/user-uploaded-image.svg" />
?
It doesn't really matter what <img>
does—the user can simply be navigated directly to the SVG address and it'll execute script full-page in the site's origin.
If you embed SVGs as an <image>
it shouldn't be able to execute scripts.
See here: https://www.w3.org/wiki/SVG_Security
Of course you can also parse the document before processing and apply the same filters and regex you would apply to an html file.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With