Add SVG+XML type support to the dataURIImagePrefix

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.12k stars 176 forks source link

Add SVG+XML type support to the dataURIImagePrefix #146

Closed EvgenMatiola99 closed 2 years ago

EvgenMatiola99 commented 2 years ago

I suggest to add also (...|svg+xml|...) type to the dataURIImagePrefix because it can be useful in some cases https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#discrete_types Thanks a lot.

buro9 commented 2 years ago

I'm happy to do this and will add it now.

https://digi.ninja/blog/svg_xss.php clearly shows that so long as image/svg+xml is accessed through image tags that there is no execution of containing script whilst the SVG is displayed inline rather than accessed directly.

However... if proof emerges that this is in fact not true I'll revisit this.