Severity standardization - NFT metadata

[KuTuGu]

We don't seem to have a standard severity of NFT metadata, so I created the issue to discuss.
There are two main problems:

1. The Metadata JSON hard-coded data is bypassed and overwritten

• Low: LlamaPolicyMetadata.contractURI() can return corrupted JSON data 2023-06-llama-findings#254
• Med: Bio Protocol - tokenURI JSON injection 2023-03-canto-identity-findings#212

2. Insert script into the SVG data and run any command

• Low: Malicious governance can steal user sensitive data by svg script 2023-06-llama-findings#166
• Med: XSS via SVG Construction contract 2022-01-timeswap-findings#131

The focus is on whether this issue should be filtered by the front end or the smart contract.

Welcome to discuss and supplement the case.

[gzeoneth]

As commented in one of the issue, I don't see them having high/med security impact because sanitation should be done by the frontend, which on its own can also inject malicious script. It also required privileged role to set those data in the Llama case.

[KuTuGu]

To clarify, in Llama anyone can deploy a DAO, set up malicious data in DAO NFT, and launch an attack as long as someone else loads NFT image in the web page, such as browsing NFTs in opensea.

[gzeoneth]

To clarify, in Llama anyone can deploy a DAO, set up malicious data in DAO NFT, and launch an attack as long as someone else loads NFT image in the web page, such as browsing NFTs in opensea.

Anyone can also deploy any smart contract or NFT too, I am sure OpenSea would not assume the tokenURI is safe.

[GalloDaSballo]

I also side with QA unless the Web Part of the site was in scope