Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SVG files should not be treated as images - especially when coming to uploads. An SVG file can contain arbitrary HTML data as well as event handlers in native elements Refs: https://html5sec.org/#svg Original report by: Ishaq Mohammed
- Loading branch information
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only half the story.
SVG files displayed with < image > are treated as an image: external resources aren't loaded, :visited styles aren't applied, and they cannot be interactive.
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@daftspunk how about if we sanitized SVG files on upload to make them safe? https://github.com/darylldoyle/svg-sanitizer
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure why this was added in the first place, so can't really comment. If SVG is truly needed, one can override the acceptable types in the form widget itself. This list defines what is considered safe and SVG is not considered safe.
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@daftspunk
Yes, we can all agree on that. However, the fact of the matter is, even though SVG is a document format, and not an image format, it still makes sense for a MEDIA-Manager to support those SVG's that do represent an image. So, while we can enable uploading SVG's, there are no previews in the media manager grid views.
I wanted to add support for this (just previews), but seeing how they will now be disabled by default, the PR I made a while back will need some changes. It's nothing complicated and will not break anything as far as I can tell.
Still, the question is, is this something you will consider? Cause if not, there is no point in me doing more work on this subject.
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@datune I'll merge your changes in if you can fix them to work with the latest code
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if you are going to enable uploads of svg, they should be sanitized for sure. Its too risky to be able to allow for arbitrary JS to be executed if a client uploads a random SVG found online or worse if there's a public upload form in the frontend that somehow ends up visible in the cms views.
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@osmanzeki It‘s always been possible to upload svg‘s, this is not what this issue is about. My initial commit was simply enabling previews of svg‘s in the media manager.
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Am I correct to assume then that if an svg is previewed in the media manager, that its code is executed and could expose the CMS to xss attacks?
In any case, I think previews for svgs are beneficial for sure, but only if we add the sanitization on uploads with it.
3bbbbf3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@osmanzeki he's just putting the URL of the SVG in the img element. That forces the browser to render it purely as an image which eliminates the issues with XSS. It's not going to be rendered straight to HTML at all.