Skip to content
  • Home
  • Categories
  • Recent
  • Popular
  • World
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo
v3.10.3 Latest
Buy Hosting
  1. Home
  2. Uncategorized
  3. How hard is it to process untrusted SVG data to strip out any potentially harmful tags or attributes (like stuff that might execute JavaScript)?

How hard is it to process untrusted SVG data to strip out any potentially harmful tags or attributes (like stuff that might execute JavaScript)?

Scheduled Pinned Locked Moved Uncategorized
24 Posts 7 Posters 214 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • freddy@social.security.plumbingF This user is from outside of this forum
    freddy@social.security.plumbingF This user is from outside of this forum
    Frederik Braun �
    replied to Simon Willison last edited by
    #21

    @simon @jaffathecake if you just want the SVG displayed, put them in an <img> tag. Otherwise, your favorite sanitizer library DOMPurify has great SVG support. (Iframe sandbox works really great too!!)

    jaffathecake@mastodon.socialJ 1 Reply Last reply
    0
    • jaffathecake@mastodon.socialJ This user is from outside of this forum
      jaffathecake@mastodon.socialJ This user is from outside of this forum
      Jake Archibald
      replied to Frederik Braun � last edited by
      #22

      @freddy @simon a sandboxed iframe means you can allow scripting in an opaque origin

      freddy@social.security.plumbingF 1 Reply Last reply
      0
      • freddy@social.security.plumbingF This user is from outside of this forum
        freddy@social.security.plumbingF This user is from outside of this forum
        Frederik Braun �
        replied to Jake Archibald last edited by
        #23

        @jaffathecake @simon yes, totally. Dunno if Simon would want scripts in the images. If you want them, sandbox gives better controls. If you want to police the exact set of allowed elements, a sanitizer is even better.

        But if all you want is to safely display them, img is really simple (don’t host the user supplied files on the same origin in either of these cases though :))

        simon@fedi.simonwillison.netS 1 Reply Last reply
        0
        • simon@fedi.simonwillison.netS This user is from outside of this forum
          simon@fedi.simonwillison.netS This user is from outside of this forum
          Simon Willison
          replied to Frederik Braun � last edited by
          #24

          @freddy @jaffathecake I think I can even get away with not serving the images from a separate domain if I instead inline them as base64 SVG in the img sec attribute

          (Running off a separate domain is OK for me but makes things harder for my users if I release open source code for other people to self-host)

          1 Reply Last reply
          0

          Copyright © 2024 NodeBB | Contributors
          • Login
          • Don't have an account? Register
          • Login or register to search.
          Powered by NodeBB Contributors
          • First post
            Last post
          0
          • Home
          • Categories
          • Recent
          • Popular
          • World
          • Top
          • Tags
          • Users
          • Groups
          • Documentation
            • Home
            • Read API
            • Write API
            • Plugin Development