Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strip onload attribute from SVG input #82

Merged
merged 1 commit into from May 29, 2022

Conversation

neocotic
Copy link
Owner

In order to prevent a remote code injection, the onload attribute needs to be removed from the SVG input as Puppeteer/Chromium will execute any code within it which could potentially be malicious.

Fixes #81

In order to prevent a remote code injection, the `onload` attribute needs to be removed from the SVG input as Puppeteer/Chromium will execute any code within it which could potentially be malicious.

Fixes #81
@neocotic neocotic added the bug label May 29, 2022
@neocotic neocotic added this to the 0.6.2 milestone May 29, 2022
@neocotic neocotic merged commit 7e6031a into main May 29, 2022
1 check failed
@neocotic neocotic deleted the bugfix/fix-remote-code-injection-vuln branch May 29, 2022 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remote Code Injection vulnerable
1 participant