Previously, we accept the extension provided by our users (in the fileName) and saved that to github + serve it on the final site.
This led to problems where svg + html comments led to js being exploited and served to end users. More generally, this also meant that we could serve arbitrary extensions to end users as long as their data-type was valid (in ALLOWED_EXTENSIONS)
Solution
In order to solve this issue, we construct the filename using the inferred filetype for binary data formats. For string formats (eg: svg), we rely on a 2 fold strategy:
first, we check first enclosing element is svg
however, that check alone is insufficient as malicious js could be hiding in html elements - hence, we will also use DOMPurify to sanitise the contents of the provided string data.
Problem
Previously, we accept the extension provided by our users (in the
fileName
) and saved that to github + serve it on the final site.This led to problems where
svg
+ html comments led to js being exploited and served to end users. More generally, this also meant that we could serve arbitrary extensions to end users as long as their data-type was valid (inALLOWED_EXTENSIONS
)Solution
In order to solve this issue, we construct the filename using the inferred filetype for binary data formats. For string formats (eg:
svg
), we rely on a 2 fold strategy:svg
DOMPurify
to sanitise the contents of the provided string data.