SVG files are susceptible to billion laughs attack. Our website allows users to upload/submit markdown files and we run the .md file through marked.js before rendering it. Now images in the markdown get rendered as,
<img src="https://evilsite.com/badsvg.svg"/>
in the webpage. Browsers will prevent any <script>
in badsvg.svg
from executing.
Now evilsite.com
can serve badsvg.svg
that contains billion laughs payload. This is how different browsers handle it,
Edge/IE - Not impacted as it has a limit on entity expansion (you can see it in the logs in console)
Firefox - Also seems to have a limit on entity expansion
Chrome - No limits, it tries to expand all entities and eventually run out of memory and there's no option but to close/kill the tab
This related bug on Chrome was marked 'wont fix' - https://bugs.chromium.org/p/chromium/issues/detail?id=617891
This is client side DOS and the site basically becomes unusable for any user on Chrome. How do you suggest we prevent this type of attack? Disallowing users from referencing resources from external domains seems an extreme measure.