github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: strip xlink:href from uploaded SVGs (#21057)

Browse Source 
This was inadvertently removed in 4c46c7e. In very specific scenarios,
this could be used execute arbitrary JavaScript.

Only affects instances where SVGs are allowed as uploads and CDN is not
configured.
This commit is contained in:
Penar Musaraj
2023-04-11 14:10:44 -04:00
committed by GitHub
parent 087ee8c5e2
commit 0ab3ba5f0d
2 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
spec/lib/upload_creator_spec.rb
View File

@ -613,7 +613,7 @@ RSpec.describe UploadCreator do
<g>
<use id="valid-use" x="123" href="#pathdef" />
</g>
<use id="invalid-use1" href="https://svg.example.com/evil.svg" />
<use id="invalid-use1" xlink:href="https://svg.example.com/evil.svg" />
<use id="invalid-use2" href="data:image/svg+xml;base64,#{b64}" />
</svg>
XML