Skip to content

Commit

Permalink
[] (0) Make it impossible for an SVG file not labelled as SVG to be s…
Browse files Browse the repository at this point in the history
…niffed as a valid image in <img> (that would allow privilege escalation), but do allow a correctly-labelled SVG to be processed as such.

git-svn-id: http://svn.whatwg.org/webapps@2096 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Aug 21, 2008
1 parent bae5477 commit 0ec7d80
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 13 deletions.
20 changes: 12 additions & 8 deletions index
Original file line number Diff line number Diff line change
Expand Up @@ -5736,9 +5736,6 @@
either "text/xml" or "application/xml", then the sniffed type of the
resource is <var title="">official type</var>; return that and abort
these steps.
</li>
<!-- we don't want
image/svg+xml going through the next step -->

<li>
<p>If <var title="">official type</var> is an image type supported by the
Expand Down Expand Up @@ -6199,10 +6196,14 @@
<h4 id=content-type3><span class=secno>2.7.5 </span><dfn
id=content-type8>Content-Type sniffing: image</dfn></h4>

<p>If the first bytes of the resource match one of the byte sequences in
the first column of the following table, then the sniffed type of the
resource is the type given in the corresponding cell in the second column
on the same row:
<p>If the resource's <var title="">official type</var> is "image/svg+xml",
then the sniffed type of the resource is its <var title="">official
type</var> (an XML type).

<p>Otherwise, if the first bytes of the resource match one of the byte
sequences in the first column of the following table, then the sniffed
type of the resource is the type given in the corresponding cell in the
second column on the same row:

<table>
<thead>
Expand Down Expand Up @@ -16077,7 +16078,10 @@ interface <dfn id=htmlimageelement>HTMLImageElement</dfn> : <a href="#htmlelemen
title="Content-Type sniffing: image">image sniffing rules</a> to determine
the type of the image, with the image's <a href="#content-type5"
title=Content-Type>associated Content-Type headers</a> giving the <var
title="">official type</var>.
title="">official type</var>. If these rules are not applied, then the
type of the image must be the type given by the image's <a
href="#content-type5" title=Content-Type>associated Content-Type
headers</a>.

<p>User agents must not support non-image resources with the <code><a
href="#img">img</a></code> element (e.g. XML files whose root element is
Expand Down
15 changes: 10 additions & 5 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -3697,8 +3697,7 @@
<li><p>If <var title="">official type</var> ends in "+xml", or if
it is either "text/xml" or "application/xml", then the sniffed
type of the resource is <var title="">official type</var>; return
that and abort these steps.</p></li> <!-- we don't want
image/svg+xml going through the next step -->
that and abort these steps.</p></li>

<li><p>If <var title="">official type</var> is an image type
supported by the user agent (e.g. "image/png", "image/gif",
Expand Down Expand Up @@ -4081,8 +4080,12 @@

<h4><dfn>Content-Type sniffing: image</dfn></h4>

<p>If the first bytes of the resource match one of the byte
sequences in the first column of the following table, then the
<p>If the resource's <var title="">official type</var> is
"image/svg+xml", then the sniffed type of the resource is its <var
title="">official type</var> (an XML type).</p>

<p>Otherwise, if the first bytes of the resource match one of the
byte sequences in the first column of the following table, then the
sniffed type of the resource is the type given in the corresponding
cell in the second column on the same row:</p>

Expand Down Expand Up @@ -13560,7 +13563,9 @@ interface <dfn>HTMLImageElement</dfn> : <span>HTMLElement</span> {
sniffing: image">image sniffing rules</span> to determine the type
of the image, with the image's <span title="Content-Type">associated
Content-Type headers</span> giving the <var title="">official
type</var>.</p>
type</var>. If these rules are not applied, then the type of the
image must be the type given by the image's <span
title="Content-Type">associated Content-Type headers</span>.</p>

<p>User agents must not support non-image resources with the
<code>img</code> element (e.g. XML files whose root element is an
Expand Down

0 comments on commit 0ec7d80

Please sign in to comment.