On Thu, Oct 21, 2010 at 3:55 PM, Jeff Schiller <codedread@gmail.com> wrote: > On Wed, Oct 20, 2010 at 3:59 PM, Jennifer Yu <Jennifer.Yu@microsoft.com>wrote: > >> If I want to treat SVG like another image format and allow users to >> upload SVG images to my server, is there currently any way to prevent script >> inside the uploaded SVG from executing? >> > > The best way to do this is to white-list elements and attributes you want > to allow on your site. This means parsing and re-serialization. We have an > example of a whitelist in SVG-edit. I've been meaning to pull that out into > a separate JS module. > Oops. I didn't read the question properly, sorry. I agree with Jeff, you'll have to sanitize uploaded content. For extra security, you could use Mozilla's CSP proposal to block script execution in browsers that support it: https://wiki.mozilla.org/Security/CSP/Specification Basically that would mean adding an HTTP header like: X-Content-Security-Policy: allow 'none'; image-src * Rob -- "Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true." [Acts 17:11]
Received on Thursday, 21 October 2010 04:17:23 UTC