Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

javascript: bypass via <svg> and use. #84

Open
mikewest opened this issue Apr 26, 2021 · 7 comments
Open

javascript: bypass via <svg> and use. #84

mikewest opened this issue Apr 26, 2021 · 7 comments
Labels
bug
Milestone
v1

Comments

@mikewest
Copy link
Member

A friendly, clever person submitted the following as a bypass of the javascript: URL handling in https://wicg.github.io/sanitizer-api/#handle-funky-elements:

<div id=div></div>
<script>
div.replaceChildren(
new Sanitizer({
    "allowElements":["svg","use"],
    "allowAttributes":{"xlink:href":["use"]}}
).sanitize(`<svg>
    <use xlink:href='data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="x" viewBox="0 0 100 50" width="100%" height="100%"><a href="javascript:alert(1)"><circle r="100" /></a></svg>#x'/>
</svg>`));
</script>
@mozfreddyb mozfreddyb added the bug label Apr 27, 2021
@mozfreddyb
Copy link
Collaborator

Thanks!
I know we don't handle non-HTML really well yet. Both in spec as well as in implementations. #72 talks some more about this.

@otherdaniel
Copy link
Collaborator

I know we don't handle non-HTML really well yet. Both in spec as well as in implementations. #72 talks some more about this.

Seconded. The spec still pretends that SVG doesn't exist, which opens up this hole.

The specific vector here seems to be <svg:use>, which I guess should be either baseline-forbidden, or get treatment similar to <template>.

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Apr 28, 2021
@otherdaniel @chromium-wpt-export-bot
[Sanitizer API] Add regression tests.
ce56fc4 
Regression tests for:
- WICG/sanitizer-api#84
- WICG/sanitizer-api#85
- WICG/sanitizer-api#86

Bug: 1203238
Change-Id: I844185c4b3295712f11d57fd0bf91efb9402823f
Closed
blueboxd pushed a commit to blueboxd/chromium-legacy that referenced this issue Apr 29, 2021
@otherdaniel
[Sanitizer API] Add regression tests.
4aee5e3 
Regression tests for:
- WICG/sanitizer-api#84
- WICG/sanitizer-api#85
- WICG/sanitizer-api#86

Bug: 1203238
Change-Id: I844185c4b3295712f11d57fd0bf91efb9402823f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2854853
Commit-Queue: Daniel Vogelheim <[email protected]>
Reviewed-by: Yifan Luo <[email protected]>
Cr-Commit-Position: refs/heads/master@{#877446}
@otherdaniel otherdaniel mentioned this issue Jun 30, 2021
Open
@mozfreddyb mozfreddyb added the v1 label Mar 23, 2022
@otherdaniel
Copy link
Collaborator

Meanwhile, the spec knows SVG exists, but we haven't agreed on a "baseline" config for it yet. We should close this bug once that is there.

If it matters, Chromium has a for-testing configuration supporting SVG & friends, which does not have <svg:use> in the baseline and thus unconditionally blocks it.

mjfroman pushed a commit to mjfroman/moz-libwebrtc-third-party that referenced this issue Oct 14, 2022
@otherdaniel @copybara-github
[Sanitizer API] Add regression tests.
980ec54 
Regression tests for:
- WICG/sanitizer-api#84
- WICG/sanitizer-api#85
- WICG/sanitizer-api#86

Bug: 1203238
Change-Id: I844185c4b3295712f11d57fd0bf91efb9402823f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2854853
Commit-Queue: Daniel Vogelheim <[email protected]>
Reviewed-by: Yifan Luo <[email protected]>
Cr-Commit-Position: refs/heads/master@{#877446}
NOKEYCHECK=True
GitOrigin-RevId: 4aee5e3d88ce4742d367f7525db00ff4f851846b
@mozfreddyb mozfreddyb added this to the v1 milestone Jan 23, 2024
@annevk
Copy link
Collaborator

annevk commented Apr 3, 2024
edited
Loading

Do all implementations block data: URLs in svg:use these days? Does that open the door to allowing it?

(See also #103.)

@mozfreddyb
Copy link
Collaborator

with data: URLs being unsupported, the remaining XSS risks with <svg use> are URLs pointing to same-origin / same-document resources. Right?

@annevk
Copy link
Collaborator

annevk commented Apr 17, 2024

What was the conclusion here and why? We should have something before we close an issue.

@annevk annevk reopened this Apr 17, 2024
@mozfreddyb
Copy link
Collaborator

OK. <svg><use> is at this point similar in capabilities to an <iframe>, except that the included resources must be same-origin. We should make sure that we handle it the same way

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1
Development

No branches or pull requests
4 participants
@mikewest @annevk @mozfreddyb @otherdaniel