SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027


This issue is a public follow-up on one of my first security related issue that last year I've opened at my work in order to properly sanitize on NextEuropa instances all the user uploaded SVG files.

For me personally the most interesting part of this vulnerability is how it can be exploited as not all browsers are affected, but unfortunately nowadays almost all major ones are.

Further details are under this link: https://hackerone.com/reports/148853

In order to test the vulnerability on your own SVG formatter or similar solution, take this example, save it in an SVG file or just simply let your site execute/embed it. If the sanitization is not properly done, you'll see a pop-up saying "This app is probably vulnerable to XSS attacks!"

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('This app is probably vulnerable to XSS attacks!');

The solution that also svg_formatter contrib delivers is to use this library: https://packagist.org/packages/enshrined/svg-sanitize It is worth mentioning that, including the library was already available by the dev version of the module, we've just managed to push it in a stable release with a default setting and requiring the library to be present by the fix.

Also thanks to the maintainer who worked with us very well and followed our procedure: https://www.drupal.org/u/gnikolovski It was a great pleasure to work with You and thanks again for your comments!

Goran Nikolovski's post on LinkedIn