W3C home > Mailing lists > Public > www-svg@w3.org > October 2010

Re: preventing SVG script from running

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 21 Oct 2010 17:15:49 +1300
Message-ID: <AANLkTimz2=KYFNHgCdv7S5NBQs5YYuK2ND_Yoak+LbZy@mail.gmail.com>
To: Jeff Schiller <codedread@gmail.com>
Cc: Jennifer Yu <Jennifer.Yu@microsoft.com>, "www-svg@w3.org" <www-svg@w3.org>
On Thu, Oct 21, 2010 at 3:55 PM, Jeff Schiller <codedread@gmail.com> wrote:

> On Wed, Oct 20, 2010 at 3:59 PM, Jennifer Yu <Jennifer.Yu@microsoft.com>wrote:
>
>>   If I want to treat SVG like another image format and allow users to
>> upload SVG images to my server, is there currently any way to prevent script
>> inside the uploaded SVG from executing?
>>
>
> The best way to do this is to white-list elements and attributes you want
> to allow on your site.  This means parsing and re-serialization.  We have an
> example of a whitelist in SVG-edit.  I've been meaning to pull that out into
> a separate JS module.
>

Oops. I didn't read the question properly, sorry.

I agree with Jeff, you'll have to sanitize uploaded content. For extra
security, you could use Mozilla's CSP proposal to block script execution in
browsers that support it:
https://wiki.mozilla.org/Security/CSP/Specification
Basically that would mean adding an HTTP header like:
X-Content-Security-Policy: allow 'none'; image-src *

Rob
-- 
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
Received on Thursday, 21 October 2010 04:17:23 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 15:54:46 GMT