Open mikewhiteman opened 1 week ago
@mikewhiteman I agree with this thought / change. 5.2.1 can cover 5.1.6, even mentions the same WSTG-BUSL-09 testing procedure.
Yes, works for me.
On Mon, Jul 1, 2024 at 8:02 AM johntidwell1 @.***> wrote:
@mikewhiteman https://github.com/mikewhiteman I agree with this thought / change. 5.2.1 can cover 5.1.6, even mentions the same WSTG-BUSL-09 testing procedure.
— Reply to this email directly, view it on GitHub https://github.com/appdefensealliance/ASA-WG/issues/44#issuecomment-2200404638, or unsubscribe https://github.com/notifications/unsubscribe-auth/BIO3HJNQLXXMIJPDF6NGJS3ZKFVR3AVCNFSM6AAAAABJWZ46N2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBQGQYDINRTHA . You are receiving this because you were mentioned.Message ID: @.***>
Overview
The web profile 5.1.6 requirement stipulates that the application shall not allow arbitrary SVG file uploads due to the risk of embedded JS leading to XSS.
The 5.2.1 requirement is already covering this specific risk by ensuring file uploads are limited to expected file types and preventing direct execution of content:
There seems to be overlap here - it's not clear to me that 5.1.6 is necessary since the XSS risk is covered under 5.2.1.
Recommendation
Let's remove 5.1.6 requirement since this is covered already under 5.2.1.
Thoughts @8radree @johntidwell1?