New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bypass SVG follow https://github.com/darylldoyle/svg-sanitizer/issues/31 #9
Comments
@dinhbaouit I've pushed a proposed fix for this to https://github.com/darylldoyle/svg-sanitizer/tree/fix/31-xss. Any chance you can double check this Fixes the issue for me please? If there’s anything else you think I should look out for, I’d love to hear it :) |
Yah, but I thing best way you can do is using white list |
I see what you mean. I could do something similar and check for URLs starting with one of the following: |
@dinhbaouit, I've updated the sanitiser to use a whitelist for these values rather than a regex now. Good idea, thanks for that 🙂 Any chance you can look over darylldoyle/svg-sanitizer@6421560 and let me know if you can see any potential issues before I merge please? |
Yah, I think this is the best way. Now it is really safe :)) |
Just notice for bypass this issue:
darylldoyle/svg-sanitizer#31
POC: https://www.youtube.com/watch?v=hnQA2hc-4_k&feature=youtu.be
The text was updated successfully, but these errors were encountered: