Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


svg-edit XSS? #1

mstone opened this Issue · 1 comment

2 participants

Michael Stone Ian Denhardt
Michael Stone

There are lots of ways to include javascript in SVG but atlas does not yet make any attempt to protect its users from dangerous SVG.

(For what it's worth, this will almost certainly require parsing and whitelisting to fix, given the diversity of known JS inclusion paths including script elements, via CSS, via xinclude, and probably via svg:image.)

Ian Denhardt

The python feedparser library's whitelist might provide a good starting point:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.