- From: Scott via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Oct 2016 21:51:06 +0000
- To: public-svg-issues@w3.org
> security zealots > security paranoia It's difficult to have a level discussion when participants are classified as zealots and ascribed with a mental health disorder right out of the gate. > will allow different treatments of different types of the 2-3 types of diagrams that are all SVG graphics, such that the ones with code are marginalized and strangled off by security paranoia.. which would kill the ability to use SVG in many diagram contexts. Partitioning into two types still allows SVG (as most people use it) to endure such paranoia. * SVG with JavaScript -> arbitrary code execution and a huge risk to the end user; block it! * SVG without JavaScript -> no significant risk to the end user, let it through. As it stands now, the best solution to prevent SVG-assisted stored XSS payloads is to: 1. Forbid SVG files entirely, or 2. Cripple their intended functionality (serve as `text/plain` with `no-sniff`, force a download, etc.), or 3. Attempt to write a fork of HTMLPurifier or [Stauros](https://github.com/ircmaxell/Stauros) that sanitizes SVG files to remove all JavaScript. 1 is the easiest for the backend, but the worst for the frontend. 3 is the easiest for the frontend (you can still use SVG, just not with embedded JS). 2 is what I'm currently doing in my projects, as a stop-gap measure. But eliminating the risk for myself doesn't help address the danger embedded in the standards. Hence, this Github issue. Most security folks will prefer to just **outright forbid** all SVG files today when they hear of this risk. Changing the standard doesn't make SVG less acceptable to them. My proposal allows non-ECMAScript-burdened SVG files to still be tolerable by information security professionals. -- GitHub Notification of comment by paragonie-scott Please view or discuss this issue at https://github.com/w3c/svgwg/issues/266#issuecomment-256780263 using your GitHub account
Received on Thursday, 27 October 2016 21:51:13 UTC