Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changed to make svg media urls link to the media file directly #12655

Closed
wants to merge 1 commit into from
Closed

Changed to make svg media urls link to the media file directly #12655

wants to merge 1 commit into from

Conversation

AaronSadlerUK
Copy link
Contributor

@AaronSadlerUK AaronSadlerUK commented Jul 4, 2022
edited

Prerequisites

  • I have added steps to test this contribution in the description below

If there's an existing issue for this PR then this fixes #12654

Description

This fixes the URL for SVG media items on the Info Tab in the backoffice so that it links directly to the media file.

It now works in the same way as if you click on the image on the Content tab.

I have commented out the code rather than remove it, as I'm not sure why it was added or what it was trying to achieve.

@github-actions
Copy link

github-actions bot commented Jul 4, 2022

Hi there @AaronSadlerUK, thank you for this contribution! 👍

While we wait for one of the Core Collaborators team to have a look at your work, we wanted to let you know about that we have a checklist for some of the things we will consider during review:

  • It's clear what problem this is solving, there's a connected issue or a description of what the changes do and how to test them
  • The automated tests all pass (see "Checks" tab on this PR)
  • The level of security for this contribution is the same or improved
  • The level of performance for this contribution is the same or improved
  • Avoids creating breaking changes; note that behavioral changes might also be perceived as breaking
  • If this is a new feature, Umbraco HQ provided guidance on the implementation beforehand
  • 💡 The contribution looks original and the contributor is presumably allowed to share it

Don't worry if you got something wrong. We like to think of a pull request as the start of a conversation, we're happy to provide guidance on improving your contribution.

If you realize that you might want to make some changes then you can do that by adding new commits to the branch you created for this work and pushing new commits. They should then automatically show up as updates to this pull request.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

@bjarnef
Copy link
Contributor

bjarnef commented Jul 4, 2022
edited

There's a reason this was added when it comes to security, see PR #6182

Unlike an image a SVG can contain malicious JS content and could then execute inside of the back office. In this case we control the specific HTML to render instead of rendering the raw HTML directly, which can contain malicious JS and thus execute this.

The ng-click event happens on mouse click, while the href attributes ensures editors can right click to open the media in a new tab/window.

In future we may use the new Sanitizer API: https://web.dev/sanitizer/
However currently it is still WIP:

The Sanitizer API is under discussion in the standardization process and Chrome is in the process of implementing it.

Not supported yet by default, but possible to enable in Firefox and Chrome:
https://caniuse.com/?search=sanitizer

I also commented on this here: #6182 (comment)

@AaronSadlerUK
Copy link
Contributor Author

AaronSadlerUK commented Jul 5, 2022
edited

@bjarnef I'm not sure I understand how this would be a risk in the backoffice?

The link would open the SVG in a new window via a direct link to the media file.

This is what happens when you click on the svg in the Content tab anyway, so I can't see what the PR you mentioned fixes here

@bjarnef
Copy link
Contributor

bjarnef commented Jul 5, 2022

@nul800sebastiaan can you elaborate this based on the linked PR?
The linked notes are internal, so I don't know what the test notes originally contains.
Maybe we should add a comment this this part also.

@nul800sebastiaan
Copy link
Member

When you click it in the backoffice it opens a new html document, wrapping the svg in an html img tag, which means that no embedded scripts will be executed (this is a browser feature). In the backoffice all svgs are also wrapped in an image tag of course. So if we have Editor A uploading a malicious svg, and they ask Admin B to go and click it, they might be able to elevate privileges that way, or do other unwanted things.

I'll close this PR as it opens up a security issue.

@nul800sebastiaan nul800sebastiaan mentioned this pull request Jul 5, 2022
Closed
@AaronSadlerUK
Copy link
Contributor Author

@nul800sebastiaan ok so what about the svg link on the Content tab?

This also opens in a new window in the same way I'd expect the link on the Info tab to behave... Surely this is also a security risk?

@nul800sebastiaan
Copy link
Member

Yeah.. now I can see. I don't know since when this has been linked, it definitely shouldn't have been, not like this anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SVG Link on Info Tab incorrect
3 participants
@AaronSadlerUK @bjarnef @nul800sebastiaan