I want to display user uploaded SVG images on a website, but they're quite open to exploits:
For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority.
Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust <img src="/media/user-uploaded-image.svg" />?
Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
I want to display user uploaded SVG images on a website, but they're quite open to exploits:
- https://security.stackexchange./questions/11384/exploits-or-other-security-risks-with-svg-upload
- https://security.stackexchange./questions/36447/img-tag-vulnerability
For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority.
Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust <img src="/media/user-uploaded-image.svg" />?
Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
Share Improve this question edited Oct 28, 2015 at 10:02 jozxyqk asked Oct 28, 2015 at 9:48 jozxyqkjozxyqk 17.3k15 gold badges98 silver badges197 bronze badges3 Answers
Reset to default 9Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?
They serve the uploaded files from a separate hostname, specifically upload.wikimedia. You can cross-site-script into there all you like but it doesn't get you anything: it lives in a different origin to en.wikipedia and can't touch its cookies or interact with its script.
This is ultimately the only airtight way to handle file uploads, and what most of the big players do. It is just too difficult to do a thorough scan for all the many obscure XSS possibilities that exist when you allow arbitrary files.
Can I simply trust
<img src="/media/user-uploaded-image.svg" />?
It doesn't really matter what <img> does—the user can simply be navigated directly to the SVG address and it'll execute script full-page in the site's origin.
If you embed SVGs as an <image> it shouldn't be able to execute scripts.
See here: https://www.w3/wiki/SVG_Security
Of course you can also parse the document before processing and apply the same filters and regex you would apply to an html file.
Also note that (as I understand it) there is a vector of attack in the form of SVGs' ability to request arbitrary external images.