Hacker News new | ask | show | jobs
by poorman 186 days ago
All SVGs should be properly sanitized going into a backend and out of it and when rendered on a page.

Do you allow SVGs to be uploaded anywhere on your site? This is a PSA that you're probably at risk unless you can find the few hundred lines of code doing the sanitization.

Note to Ruby on Rails developers, your active storage uploaded SVGs are not sanitized by default.
5 comments
nradov 186 days ago
Is there SVG sanitization code which has been formally proven correct and itself free of security vulnerabilities?
link
codedokode 186 days ago
It would be better if they were sanitized by design and could not contain scripts and CSS. For interactive pictures, one could simply use HTML with inline SVG and scripts.
link
poorman 186 days ago
GitLab has some code in their repo if you want to see how to do it.
link
jdironman 186 days ago
This is what they actually use: https://github.com/flavorjones/loofah
link
rcxdude 186 days ago
Sanitisation is a tricky process, it can be real easy for something to slip through the cracks.
link
auxiliarymoose 186 days ago
Yes. Much better to handle all untrusted data safely rather than try to transform untrusted data into trusted data.

I found this page a helpful summary of ways to prevent SVG XSS: https://digi.ninja/blog/svg_xss.php

Notably, the sanitization option is risky because one sanitizer's definition of "safe" might not actually be "safe" for all clients and usages.

Plus as soon as you start sanitizing data entered by users, you risk accidentally sanitizing out legitimate customer data (Say you are making a DropBox-like fileshare and a customer's workflow relies on embedding scripts in an SVG file to e.g. make interactive self-contained graphics. Maybe not a great idea, but that is for the customer to decide, and a sanitization script would lose user data. Consider for example that GitHub does not sanitize JavaScript out of HTML files in git repositories.)

link
lelandfe 186 days ago
Yeah I’ve worked on a few pieces of software now that tried SVG sanitizing on uploads, got hacked, and banned the uploads.
link
exceptione 186 days ago
I guess it is a matter of parsing svg. Trying to hack around with regex is asking for trouble indeed.
link
ivw 186 days ago
just run them through `svgo` and get the benefits of smaller filesizes as well
link
silverwind 186 days ago
svgo is a minifier, not a sanitizer.
link
ivw 185 days ago
I should have clarified `svgo + removeScripts`

https://svgo.dev/docs/plugins/removeScripts/

link