SVG's rendering is prone to XSS

[maudov]

Hi,

SVG's rendering is prone to XSS in redmine_drawio. steps to reproduce :

1. upload an SVG containing a script to a wiki page and attach it ( {{drawio_attach(...)}})

   
   <svg height="100" width="100">
   
   <script>alert('xss')</script>
   
   <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
   
   Sorry, your browser does not support inline SVG.  

2. go to the wiki page

![image](https://user-images.githubusercontent.com/90309140/134655374-be2b7093-dd9f-4353-b542-aa595fe8677f.png)

there are several approaches to fix this issue:
- set the CSP policy to prevent inline javascript execution
- insert the SVG in iframe tag with the sandbox attribute
- insert the SVG as base64 in an img tag

The latter one is probalby the easiest fix for redmine_drawio, here is an example:
https://github.com/mathieu-mbru/redmine_drawio/commit/50ac2d9753187ceb8fe487dd9d6da7bfd18a8fc4

More information about XSS here:
https://owasp.org/www-community/attacks/xss/

An interesting article about SVG XSS defence scenarios:
https://digi.ninja/blog/svg_xss.php

[mikitex70]

Thanks @maudov, I will fix it as soon a possible!

[mikitex70]

Hi @maudov, the security problem should now be fixed. I've opted for removing javascripts from the svg diagram, because working with base64 was causing some issue when the diagram was re-edited before reloading the page. Thanks again for reporting it.

[maudov]

Hi @mikitex70, thank you for your fast reaction, unfortunately there are many ways to bypass the fix (i.e : Githubissues.

Githubissues is a development platform for aggregating issues.