W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: image/svg+xml;charset=''

From: <ronan@roasp.com>
Date: Wed, 24 Nov 2004 11:26:39 -0500 (EST)
Message-ID: <39957.127.0.0.1.1101313599.squirrel@127.0.0.1>
To: www-svg@w3.org, "Bjoern Hoehrmann" <derhoermi@gmx.net>

>
> * Chris Lilley wrote:
>>Can you explain the XSS attack and charset in more detail? What is the
>>attack, does a default charset actually help prevent it or is that
>>mythology, how should people actually guard against such attacks.
>
> See for example
>
>   * http://www.cert.org/advisories/CA-2000-02.html
>   * http://www.cert.org/tech_tips/malicious_code_mitigation.html
>
> If a web site allows to insert foreign code, you might be able to inject
> specific octet sequences that affect encoding detection heuristics, for
> example, injecting Bj+APY-rn might cause Internet Explorer to consider
> the document UTF-7 encoded; if you inject +ADw-script+AD4... you can by-
> pass code that attempts to filter script elements or escape all < chars
> or makes similar attempts to protect against such attacks.

I, like many on this list,  have been preventing XSS exploits since the
90's. THe problem dates back to the creation of javascript.

The specter of xss for SVG is the same as it is for HTML. It stems from
scripting and is limited to instances where the user is allowed to submit
form fields which contain script snippets.

Tricks with poorly formed content do not apply to XML, which is much
stricter than sgml. This is really not a problem any more as the parsers
simply reject malformed content.

XSS does not pose a risk with respect to encoding tricks. Zero. None. If
the encoding of a snippet is different, the parser will not recognize the
wrongly encoded content and just return the litteral codes, causing the
XSS trick to fail.

Granted, XSS risk exist with escaped characters within scripting. This is
why we never allow scripting content of any kind in user-contributed
content in portals. Recognizing script elements is tricky, but well
established. After all, there is no reason why SVG content would be exempt
from the same due dilligence that HTML content requires to prevent xss
exploits.

Ronan
Received on Wednesday, 24 November 2004 16:26:44 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:14:52 UTC