svg-edit XSS? #1

Open
mstone opened this Issue Jul 20, 2014 · 1 comment

Comments

Projects
None yet
2 participants
Owner

mstone commented Jul 20, 2014

There are lots of ways to include javascript in SVG but atlas does not yet make any attempt to protect its users from dangerous SVG.

(For what it's worth, this will almost certainly require parsing and whitelisting to fix, given the diversity of known JS inclusion paths including script elements, via CSS, via xinclude, and probably via svg:image.)

zenhack commented Nov 29, 2014

The python feedparser library's whitelist might provide a good starting point: http://pythonhosted.org/feedparser/html-sanitization.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment