StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSecurity implications of letting users render own SVG files
primarykey
Id
9654664
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2012-03-11T11:50:55.820
FavoriteCount
0
LastActivityDate
2012-03-12T15:57:16.523
LastEditDate
2017-05-23T12:01:38.150
LastEditorUserId
-1
OwnerUserId
472495
ParentId
0
PostTypeId
1
Score
4
ViewCount
604
LastEditorDisplayName
text
Body
<p>I plan to let website users upload their own SVG documents and render them with <code>inkscape</code> or <code>svg2pdf</code>. The users will either be unauthenticated or go through a trivial sign-up process, so I would expect some hack attempts. I should therefore appreciate any pointers on what filtering I can do to minimise security threats.</p> <ul> <li>Inkscape doesn't seem to be bothered by <a href="http://html5sec.org/#11" rel="nofollow noreferrer">JavaScript onload tags</a> and happily renders the content without anything untoward happening (that said, I can't get Firefox 10 to cough up an alert box either using that approach).</li> <li>I am concerned that an <code><image xlink:href /></code> tag could link to a huge or malformed bitmap image using an external URI - which theoretically could crash the service. Is there an easy way to traverse the XML document to filter these? I can do this easily with XMLReader of course, but wonder if I might have to deal with things like <code>&#111;nload</code> for 'onload' (though Firefox just rejected it as invalid, so perhaps this is a needless worry). Sidenode: images in themselves are acceptable but I think I'd either require them to either be inline <code>data:</code> or whitelist acceptable target URIs, with filesize limitations.</li> <li>Are there any SVG directives (in particular that render text) that could include the text contents of system files, such as <code>/etc/passwd</code> etc?</li> <li>One approach I could also take is validation against the SVG spec. That's the subject of another question I've asked <a href="https://stackoverflow.com/questions/9651493/validating-svg-file-in-php-with-xmlreader">here</a>.</li> </ul> <p>I'm using PHP 5.2 with XMLReader and XMLWriter, though other PHP stream-based systems would be acceptable. Systems are OS X 10.6.8 for dev, and LAMP on production.</p>
Tags
<php><xml><security><svg><filtering>
Title
Security implications of letting users render own SVG files
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. UShalfer
plurals
PostLinksPostIdRelatedPostId
1. PL
  singulars
  LinkTypeLinkTypeId
  LTLinked
PostLinksRelatedPostIdPostId
1. PL
  singulars
  LinkTypeLinkTypeId
  LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
  singulars
  PostTypePostTypeId
  PTAnswer
VotesPostIdCreationDate
1. VO
  singulars
  PostPostId
  POSecurity implications of letting users render own SVG files
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
2. VO
  singulars
  PostPostId
  POSecurity implications of letting users render own SVG files
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
3. VO
  singulars
  PostPostId
  POSecurity implications of letting users render own SVG files
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.