W3C home > Mailing lists > Public > www-svg@w3.org > October 2010

Re: preventing SVG script from running

From: Jeff Schiller <codedread@gmail.com>
Date: Wed, 20 Oct 2010 19:55:47 -0700
Message-ID: <AANLkTin+gOC6HPC4Sh_UsnHQf31S1BJtzZm955g6mEuG@mail.gmail.com>
To: Jennifer Yu <Jennifer.Yu@microsoft.com>
Cc: "www-svg@w3.org" <www-svg@w3.org>

On Wed, Oct 20, 2010 at 3:59 PM, Jennifer Yu <Jennifer.Yu@microsoft.com>wrote:

>   If I want to treat SVG like another image format and allow users to
> upload SVG images to my server, is there currently any way to prevent script
> inside the uploaded SVG from executing?

The best way to do this is to white-list elements and attributes you want to
allow on your site.  This means parsing and re-serialization.  We have an
example of a whitelist in SVG-edit.  I've been meaning to pull that out into
a separate JS module.

> Jen

Received on Thursday, 21 October 2010 02:56:45 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:29:45 UTC