Does the threat of XSS exists when loading an untrusted SVG file using the img
tag?
As in: <img src="untrusted.svg"/>
I've read that most browsers disable scripts in svg files loaded via the img
tag.
The quick way: img elementTo embed an SVG via an <img> element, you just need to reference it in the src attribute as you'd expect. You will need a height or a width attribute (or both if your SVG has no inherent aspect ratio). If you have not already done so, please read Images in HTML.
SVG files can also contain embedded JavaScript (JS) code, a potential vulnerability. For example, an infected SVG file can redirect users to a malicious website disguised as a reputable one. These sites often prompt users to install spyware disguised as a browser plugin or, ironically, a virus detection program.
Cross site scripting(XSS) is a very common bug which involves injecting javascript code in web pages. This vulnerability can be used to do all kinds of things from stealing users cookies to bypassing SOP via CORS. There are numerous ways to locate XSS vulnerabilities, SVG files are normally overlooked.
SVGInject. A tiny, intuitive, robust, caching solution for injecting SVG files inline into the DOM. Developed and maintained by INCORS, the creators of iconfu.com.
This used to work in some browsers, but not anymore. However there is a related issue. If I as a unknowing user, right click and download the image, and then open it locally, it will likely open in the browser and the script will run. Which is a bit weird considering it's an image. I suppose if you right click and select "view image" that could also cause the script to run, because you open it diretly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With