Re: [svgwg] Referencing SVGs through USE from other domains (#707) from Jun via GitHub on 2022-12-16 (public-svg-issues@w3.org from December 2022)

From: Jun via GitHub <sysbot+gh@w3.org>
Date: Fri, 16 Dec 2022 19:17:16 +0000
To: public-svg-issues@w3.org
Message-ID: <issue_comment.created-1355460162-1671218234-sysbot+gh@w3.org>

> I'm not a security expert, I tried USE with external SVGs on the same domain and it seems that scripts are not run, neither event handlers like onclick trigger and other basic malicious scripting I could think of. I realize there is more danger there that I do not know about, but like I said, people currently work around this by simply requesting SVG source and inlining it into the page and I doubt many of them run it through DOMPurify or something. So even if it might be a not that safe practice, to achieve the same effect people most likely turn to an even more dangerous solutions.

Replying to an [old comment](https://github.com/w3c/svgwg/issues/707#issuecomment-507338795).
While [script elements are inert](https://svgwg.org/svg2-draft/struct.html#UseShadowTree:~:text=Within%20a%20use%2Delement%20shadow%20tree%2C%20%E2%80%98script%E2%80%99%20elements%20are%20inert%20(do%20not%20execute).) event handlers or link with `javascript:` URLs work. Here is the [PoC](https://test.shhnjk.com/use.svg) which should execute script in Chrome/Firefox/Safari. Which shows that the SVGUseElement is not a safe alternative.

Additionally, the ability to import external `script` or `html` into current document has been only granted to places where script can be executed (i.e. `script.src`, `import()`, etc). AFAIK, SVGUseElement is the only place where we still allow this. This has led to bypass of several security sanitizers and linters (e.g. [Trusted Types](https://github.com/w3c/trusted-types/issues/357), [Sanitizer API](https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10)).

Therefore, I'm working to [removing support for data: URLs in SVGUseElement](https://github.com/w3c/svgwg/pull/901), and I would love to keep the current behavior of only allowing same-origin resources in SVGUseElement.

-- 
GitHub Notification of comment by shhnjk
Please view or discuss this issue at https://github.com/w3c/svgwg/issues/707#issuecomment-1355460162 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 16 December 2022 19:17:18 UTC