Re: preventing SVG script from running from Jeff Schiller on 2010-10-21 (www-svg@w3.org from October 2010)

From: Jeff Schiller <codedread@gmail.com>
Date: Wed, 20 Oct 2010 19:55:47 -0700
To: Jennifer Yu <Jennifer.Yu@microsoft.com>
Cc: "www-svg@w3.org" <www-svg@w3.org>
Message-ID: <AANLkTin+gOC6HPC4Sh_UsnHQf31S1BJtzZm955g6mEuG@mail.gmail.com>

Hello,

On Wed, Oct 20, 2010 at 3:59 PM, Jennifer Yu <Jennifer.Yu@microsoft.com>wrote:

>   If I want to treat SVG like another image format and allow users to
> upload SVG images to my server, is there currently any way to prevent script
> inside the uploaded SVG from executing?
>

The best way to do this is to white-list elements and attributes you want to
allow on your site.  This means parsing and re-serialization.  We have an
example of a whitelist in SVG-edit.  I've been meaning to pull that out into
a separate JS module.

Thanks,
>
> Jen
>

Regards,
Jeff

Received on Thursday, 21 October 2010 02:56:45 UTC