Comments on: foreignObject: Hey, you’ve got HTML in my SVG!

By: gavindoughtie

gavindoughtie — Tue, 02 Sep 2008 16:20:11 +0000

And, one of the examples from my OSCON talk:

http://xdraw.org/CSS_slides/examples/foreignobject.svg

By: x00mario

x00mario — Tue, 02 Sep 2008 07:47:18 +0000

rethinker: I think you don’t know what I was talking about. I am pretty aware of the multiple ways to execute JS from within a SVG file. I was just ranting about the addition of another and IMHO useless way in major browser which makes filtering and parsing way harder for security affine developers.

Why is it that you have access to the DOM of the embedding page when you execute the JS in the SVG? Why can’t there be a default sandbox model that is capable of making it more secure to deal with user uploaded SVG files etc.?

By: rethinker

rethinker — Mon, 01 Sep 2008 16:06:28 +0000

Oops, pardon me. I misused the code tag, I guess.
http://phpfi.com/349371

By: rethinker

rethinker — Mon, 01 Sep 2008 16:05:11 +0000

x00mario: I don’t think you know what you’re talking about. SVG supports the script tag & ECMAScript naitively. (they call it ECMAScript on a technicality, its still JS)

Example:


alert(document.cookie);

By: x00mario

x00mario — Mon, 01 Sep 2008 13:53:53 +0000

Here’s the stripped code: http://phpfi.com/349332

By: x00mario

x00mario — Mon, 01 Sep 2008 13:53:03 +0000


    alert(document.cookie)

And one more way to embed malicious code inside SVGs… working fine in Opera, FF2 (without really rendering the svg of course), FF3 and Safari.

By: Andy

Andy — Mon, 01 Sep 2008 11:45:34 +0000

“The first example works fine on both Safari and Firefox 3.” Now that’s an overstatement. Safari has a rather serious display glitch that renders the element pretty unusable. Firefox 3 does it well. Everything works as it should, although it’s slow. But still, faster than the other browsers.

Opera does render it, however, it treats it as an image, so you can’t interact with it (Meaning no links, no scroll, etc).