Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS: Stored XSS due to Javascript execution in SVG files #2657

Closed
ebelties opened this issue Aug 31, 2019 · 3 comments
Labels

Comments

@ebelties
Copy link

@ebelties ebelties commented Aug 31, 2019

Hello,

I found that when uploading a new avatar, you can upload a SVG-file, which can contain Javascript (which gets executed upon visit).

I've attached a SVG-file which can be used to reproduce the issue.

If more information is needed, I can provide that.

Kind regards,
@ebelties

grav-symbol.zip

@rhukster

This comment has been minimized.

Copy link
Member

@rhukster rhukster commented Aug 31, 2019

I'm assuming you mean avatar in admin panel? This is a known issue with SVGs, and it generally comes down to options:

  1. Just don't allow SVGs. I think this is a harsh solution as SVGs are simply the best way to display vectors in browsers.

  2. Sanitize the SVGs to remove any harmful HTML. This is probably the best solution. I've wanted to look at doing this for a while, but this a pretty low-impact XSS issue (being that it's in admin panel, and being that it's your own avatar and currently not displayed to anyone else). However, it does need looking at when I have some time.

@rhukster

This comment has been minimized.

Copy link
Member

@rhukster rhukster commented Aug 31, 2019

For future reference here is a sample SVG cleaning library: https://github.com/darylldoyle/svg-sanitizer

@rhukster

This comment has been minimized.

Copy link
Member

@rhukster rhukster commented Sep 3, 2019

OK, for Grav 1.7.0-beta.8, Admin 1.10.0-beta.8, and Form 4.0.0-rc.5 I've added an SVG sanitize method for uploads in Admin + Form file fields. This is on by default, but can be disabled in security config.

@rhukster rhukster closed this Sep 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.