search

unjs / ipx

🖼️ High performance, secure and easy-to-use image optimizer.
MIT License
1.54k stars 61 forks source link

feat: sanetize svg files #82

Closed pi0 closed 11 months ago

pi0 commented 2 years ago

Input is usually considered safe from local sources and whitelist domains but if an attacker somehow manages to bypass these, they can potentially use xss on svg files are are served as is. This enhancement tries to restrict this and make ipx secure out of the box even if a (trusted) source can contain bad data.

Try:

codecov[bot] commented 2 years ago

Codecov Report

Merging #82 (50c8676) into main (13cb53d) will decrease coverage by 0.24%. The diff coverage is 16.66%.

:exclamation: Current head 50c8676 differs from pull request most recent head f2e6384. Consider uploading reports for the commit f2e6384 to get more accurate results

@@            Coverage Diff             @@
##             main      #82      +/-   ##
==========================================
- Coverage   59.17%   58.92%   -0.25%     
==========================================
  Files          10       10              
  Lines         779      784       +5     
  Branches       43       43              
==========================================
+ Hits          461      462       +1     
- Misses        318      322       +4
Impacted Files Coverage Δ
src/ipx.ts 81.71% <16.66%> (-1.82%) :arrow_down:

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

pi0 commented 11 months ago

Doing it via svgo https://github.com/unjs/ipx/pull/180. xss package is really unreliable for svg sources.