8

Does anyone know of a way to prevent JS from running inside of an SVG or stripping out JS from an SVG? In my use case I'd prefer to keep the image as an SVG and not convert it to a JPG. I've thought about stripping out script tags and on-attributes, but I would prefer to avoid a blacklist approach. Alternatively, I've looked at doing a whitelist approach of all attributes and tags, but the list is massive. Any ideas on how to approach this?

winhowes
  • 349
  • 2
  • 13
  • Questions asking for resources are off-topic, so I suggest editing that part out. (Also "Thanks!" is considered noise). Apart from that, interesting question. We also have a site for [SoftwareRecs.SE], but they have very strict [question quality guidelines](https://softwarerecs.meta.stackexchange.com/q/336/35246). – S.L. Barth Jan 12 '18 at 08:23
  • 2
    @S.L.Barth cool, I've edited the question. A library was more an option for a solution, though the reason for the library would be to understand what it's doing under the hood – winhowes Jan 12 '18 at 08:37
  • SVG is a XML format and so you should be able to find and remove the script tags using a XML library. For details how to do so I would ask on stackoverflow ;-). – allo Jan 12 '18 at 10:37
  • 2
    @allo Careful now. You need to remove more then `script` tags. You also need to remove the `on` attributes. There may also be other things I'm forgetting. – Alexander O'Mara Jan 12 '18 at 13:45
  • 1
    Indeed. Maybe some whitelisting approach would be better than just stripping the known eventhandlers. You never know if there will be new ones, like when touchevents were added to html5. – allo Jan 12 '18 at 14:36
  • @allo Careful also when telling people to go to Stack Overflow. A question that merely asks how to remove tags from an XML file is going to be rightfully downvoted there. – S.L. Barth Jan 12 '18 at 14:39
  • 1
    You're right, I should have written *search* on stackoverflow. There will be enough useful answers already. The question how to strip tags isn't that new. I just thought the security site is not the right one to discuss the details how to actually strip the tags. – allo Jan 12 '18 at 14:43

2 Answers2

5

Does anyone know of a way to prevent JS from running inside of an SVG

If you embed an SVG as an image, it's guaranteed to not run any contained JS:

<img src="https://example.com/dangerous.svg">

As a side effect this also prevents the SVG from loading any external resources. (See also: SVG as an Image)

If you feel fancy, an iframe sandbox would also prevent any script code from executing:

<iframe sandbox src="https://example.com/dangerous.svg"></iframe>

Note that if you're hosting user-provided SVGs, make sure users can't view them directly in the browser (by typing https://yoursite.example/user-images/dangerous.svg in the URL) since that would trigger the XSS anyway. Instead you need to serve untrusted files as attachments. (See also: Is it safe to store and replay user-provided mime types?)

Arminius
  • 44,242
  • 14
  • 143
  • 138
  • Yeah I was getting at untrusted users uploading SVGs in which case though I can display it in an image tag, by accessing the resource directly it'll still execute. I can further mitigate this by hosting on another domain but serving them as attachments is a great recommendation that solved the problem. Thanks! – winhowes Jan 15 '18 at 01:21
2

Use an existing library / software tool that can parse and convert SVG, and that lets you remove scripts. One important rule in security is to avoid reinventing the wheel if you can avoid it.

Which library to use is out of scope for this site, but you could try looking (and possibly asking) on http://stackoverflow.com/, or on https://softwarerecs.stackexchange.com/ , particularly under the tag svg.

As usual, read (and heed) a site's question guidelines (e.g. What is required for a question to contain “enough information”?) before asking.

sleske
  • 1,642
  • 12
  • 22
  • Sometimes a tool _is_ the right answer to a question, and in those cases it's OK to answer "use tool XYZ". Usual caveats apply, of course - disclose any affiliation you may have with the tool, and don't answer just to advertise a tool (whether your own or someone else's). – S.L. Barth Jan 12 '18 at 14:35
  • May I suggest, BTW, that when you refer people to Software Recommendations, that you include a link to their [question quality guidelines](https://softwarerecs.meta.stackexchange.com/questions/336/what-is-required-for-a-question-to-contain-enough-information)? SoftwareRecs is moderated very strictly, I believe we should warn users about that when we send them there. – S.L. Barth Jan 12 '18 at 14:43
  • @S.L.Barth: Yes, sometimes a tool is the right answer, but it is rarely a *specific* tool. In this case (like in most cases) there's too little information to recommend a specific tool, so I recommended a category, and added help to find the right one. – sleske Jan 12 '18 at 15:01
  • 1
    @S.L.Barth: Good point about the guidelines, link added. – sleske Jan 12 '18 at 15:01