Re: auto redirect to url using svg tag ? from pierre@highharbor.net on 2023-07-27 (public-website-redesign@w3.org from July 2023)

From: <pierre@highharbor.net>
Date: Thu, 27 Jul 2023 16:54:19 +0200 (CEST)
To: gerald@w3.org
Cc: public-website-redesign@w3.org
Message-ID: <ea-mime-64c2851b-d2c-69d4b632@www.mailo.com>

Hello,



Thanks for your answer. I've received the html by email. I guess this way of redirection may prevent the email to be detected as spam/fishing.
Redirection itself is not a security issue; I wasn't aware of the onerror event handler within sgv code. I was wondering if it could have lead to a an exploit/code execution.
As a feature, there is no need to investigate the security issue.



Regards,



De : Gerald Oskoboiny <gerald@w3.org>
À : pierre@highharbor.net
Sujet : Re: auto redirect to url using svg tag ?
Date : 18/07/2023 23:50:15 Europe/Paris
Copie à : public-website-redesign@w3.org

Hi Pierre,

* pierre@highharbor.net <pierre@highharbor.net> [2023-07-07 12:15+0200]
>
>Hello,
>
>Please check this mailicious code I've received in a browser (I 
>tested in Firefox). I haven't found documentation about this 
>capability within svg code.

This seems to be using the onerror event handler to redirect to 
another URL. Can you say why you think this is malicious? There 
are lots of ways to cause redirects from web pages. Is there 
something about this method that makes it a security issue?

Thanks

-- 
Gerald Oskoboiny <gerald@w3.org>
http://www.w3.org/People/Gerald/
tel:+1-604-906-1232 (mobile)

Received on Thursday, 27 July 2023 14:54:27 UTC