You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2015/10/26 17:56:27 UTC

[allura:tickets] #8011 Served SVG images can execute JS

- **private**: Yes --> No



---

** [tickets:#8011] Served SVG images can execute JS**

**Status:** closed
**Milestone:** unreleased
**Labels:** security sf-current sf-2 
**Created:** Mon Oct 26, 2015 03:10 PM UTC by Dave Brondsema
**Last Updated:** Mon Oct 26, 2015 04:17 PM UTC
**Owner:** Dave Brondsema


Since the SVG mime type (`image/svg+xml`) starts with `image/`, the `AttachmentController` lets it be displayed in the browser rather than download.  However, SVGs can contain javascript and other insecure components.

https://www.hackinparis.com/slides/hip2k11/09-TheForbiddenImage.pdf
https://www.w3.org/wiki/SVG_Security


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.