The woes of sanitizing SVGs

Devasta 21 hours ago|

> In 2019, a few months after the initial release of Scratch 3, Scratch discovered that SVGs can contain <script> tags that Scratch would cause to be executed when the SVG loads. This is known as an XSS.

> Example from Scratch's test suite:

  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
    "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  <svg version="1.1" xmlns="http://www.w3.org/2000/svg">
    <circle cx="250" cy="250" r="50" fill="red" />
    <script type="text/javascript"><![CDATA[
        alert('from the svg!')
    ]]></script>
  </svg>

Is this really an issue? This is the method that the chrome teams polyfill to replace XSLT suggests you do. https://github.com/mfreed7/xslt_polyfill/tree/main#usage

inkmuffin 15 hours ago|

This was the example from their test suite. I didn't want to clone and build a 2019 copy of Scratch to test it end-to-end since the specifics weren't super important anyway.

esafak 23 hours ago||

Is there a browser-friendly vector alternative?

simonw 21 hours ago|

SVG in an <img> tag can't execute scripts.

esprehn 13 hours ago||

It also can't inherit css variables which is unfortunate since it means the image doesn't respect the theme.

marlburrow 13 hours ago||

[dead]

nengil 23 hours ago||

[flagged]

shaguoer 22 hours ago||

[flagged]

SpyCoder77 22 hours ago|

I did not expect to see GarboMuffin.