- Issue created by @heikkiy
At the moment if you upload an SVG that for example contains malicious code like a script tag, it gets uploaded to the server. The module does sanitize the file before displaying it but would it be possible to prevent even uploading this kind of file on the server?
For example you can select a svg file that contains following code:
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<path d="M90,18c-90-45-115,102,0,69v-21l4-3h-23l-8,4h16v19c-80,15-65-106,2-63l-4,5l4-1z" fill="#CCC" stroke="#DDD" stroke-width="2" stroke-linejoin="round"/>
<path d="M87,15c-90-45-115,102,0,69v-21l4-3h-23l-8,4h16v19c-80,15-65-106,2-63l-4,5l4-1z" fill="#00F"/>
<script>
alert("Hello world");
</script>
</svg>
This file gets uploaded to the server and can be opened directly from the server path.
There are similar issues also in other modules like ✨ XSS validation on upload and not only display Active .
1. Install the latest version of the module.
2. Go to the Icons vocabulary and add a new term.
3. Create a svg file with the above content with the script tag in it.
4. Upload the file to the term.
5. You should be able to open the file from sites/default/files/icons/svgs/script.svg and you should also see the Hello world alert.
We could check the file content for malicious content like script or iframe before it's stored to the server.
1. Implement the sanitization.
2. Add tests.
Add a possible warning to the upload dialog.
The warning could say something like:
The uploaded file script.svg could not be uploaded.
* File contains suspicious iframe tag.
* File contains suspicious script tag.
Active
3.0
Code