Will there be validation for svg XSS uploads ?

Created on 12 October 2018, over 6 years ago

Updated 26 August 2021, over 3 years ago

It seems the validation failed to prevent user from uploading SVGs that contains script tags.
For example:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    console.log('xxx');
  </script>
</svg>

Please see here for more info.

✨ Feature request

Status

Fixed

Version

1.0

Component

Code

Created by

🇲🇲Myanmar thihathit

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 10 days ago →
🇪🇬Egypt mahmoudsayed96 Cairo
I am using SVG Image module version 3.2, but issue still exists.
Comment 10 days ago →
🇫🇷France mably
This issue is still being debated...
Comment 10 days ago →
🇫🇷France mably
Here is an MR that implements validation on upload:

https://git.drupalcode.org/project/svg_image/-/merge_requests/45

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024