Skip to content
Simple and lightweight library that helps to validate SVG files in security manners.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
gradle/wrapper
src
.gitignore
.travis.yml
LICENSE
README.md
build.gradle.kts
gradlew
gradlew.bat
settings.gradle.kts

README.md

SVG SECURITY

Simple and lightweight library that helps to validate SVG files in security manners.

Travis (.org) Codecov GitHub Release Date Libraries.io dependency status for GitHub repo Scrutinizer code quality

It will help you in detecting malicious content inside uploaded SVGs.

Are you aware that SVG can cause XSS?

Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.

Example

Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are venerable to XSS attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>

Usage

Add library dependency:

compile "com.github.bgalek.security.svg:safe-svg:1.0.0"

You can use this library to check uploaded svg files

String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
                "<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
                "<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
                "<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
                "<script type=\"text/javascript\">\n" +
                "alert('Hello, world!');\n" +
                "</script>\n" +
                "</svg>";
        ValidationResult validation = svgSecurityValidator.validate(svg);
        if (validation.hasViolations()) {
            throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
        }
You can’t perform that action at this time.