Contrib.social

svg sanitize under imce module

Open on Drupal.org →
Created on 12 June 2025, 3 months ago

<?xml version="1.0" standalone="no"?>

alert(document.cookie);

When we upload an image and we give svg file and svg file content is above content then it is executing alert. How we can fix these security issue.

🐛 Bug report
Status

Active

Version

3.1

Component

Code

Created by

🇮🇳India satwantsinghbhatia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @satwantsinghbhatia
  • Comment 3 months ago
    🇮🇳India satwantsinghbhatia
  • Comment about 1 month ago
    ufku

    Allowing SVG extension is the same as allowing HTML extension. It requires a more advanced filtering(considering onX attributes) than the one in your patch. IMCE supports svg files to be previewed using the IMG tag, which is safe. Other than that the risk is the same as HTML files. A standalone SVG is as dangerous as a standalone HTML page. If you choose to allow html from your users you should take care of it using a custom module/configuration.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024