Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

svg-edit XSS? #1

Open
mstone opened this Issue · 1 comment

2 participants

@mstone
Owner

There are lots of ways to include javascript in SVG but atlas does not yet make any attempt to protect its users from dangerous SVG.

(For what it's worth, this will almost certainly require parsing and whitelisting to fix, given the diversity of known JS inclusion paths including script elements, via CSS, via xinclude, and probably via svg:image.)

@zenhack

The python feedparser library's whitelist might provide a good starting point: http://pythonhosted.org/feedparser/html-sanitization.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.