Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convert only first SVG element from input #87

Merged
merged 1 commit into from Jun 7, 2022

Conversation

neocotic
Copy link
Owner

@neocotic neocotic commented Jun 7, 2022

If the input to be converted contains multiple SVG elements, only the first SVG element should be converted. Currently, and undesirably, all SVG elements were being inserted into the page within Puppeteer, resulting in them all being stacked prior to the screenshot being taken.

Another symptom of this was that all recent safety measures implemented for remote code injection vulnerabilities can be easily circumvented by inserting a simple empty SVG element at the start of the input as it was the only one being sanitized.

This PR fixes #86.

If the input to be converted contains multiple SVG elements, only the first SVG element should be converted. Currently, and undesirably, all SVG elements were being inserted into the page within Puppeteer, resulting in them all being stacked prior to the screenshot being taken.

Another symptom of this was that all recent safety measures implemented for remote code injection vulnerabilities can be easily circumvented by inserting a simple empty SVG element at the start of the input as it was the only one being sanitized.
@neocotic neocotic added the bug label Jun 7, 2022
@neocotic neocotic added this to the 0.6.4 milestone Jun 7, 2022
@neocotic neocotic merged commit 2bbc498 into main Jun 7, 2022
1 check failed
@neocotic neocotic deleted the bugfix/86/convert-single-svg branch June 7, 2022 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Remote Code Injection vulnerable
1 participant