Reply to thread

Message

I think the root of it is that XF's image proxy doesn't support SVG images (it supports GIF, JPG, PNG, ICO and WEBP). I assume it's intentional that SVG isn't supported by the image proxy because an SVG image can have embedded JavaScript that executes inside the image itself. You could get some really malicious stuff happening by allowing users to execute JavaScript they wrote and then stuck in an image. That image then is run on the host domain (since the proxy image is coming from the XF site). You know... doing things like inserting ads to the site, stealing login credentials of anyone that viewed the image, etc.

The only way to realistically do it would go down a road of trying to whitelist certain allowed SVG tags/attributes inside the image itself and hope you didn't forget something. Would be like trying to universally sanitize a webpage and remove all the different ways JavaScript could be on that page.

<blockquote data-quote="digitalpoint" data-source="post: 1552450" data-attributes="member: 47">I think the root of it is that XF&#039;s image proxy doesn&#039;t support SVG images (it supports GIF, JPG, PNG, ICO and WEBP).&nbsp; I assume it&#039;s intentional that SVG isn&#039;t supported by the image proxy because an SVG image can have embedded JavaScript that executes inside the image itself.&nbsp; You could get some really malicious stuff happening by allowing users to execute JavaScript they wrote and then stuck in an image.&nbsp; That image then is run on the host domain (since the proxy image is coming from the XF site).&nbsp; You know... doing things like inserting ads to the site, stealing login credentials of anyone that viewed the image, etc.The only way to realistically do it would go down a road of trying to whitelist certain allowed SVG tags/attributes inside the image itself and hope you didn&#039;t forget something.&nbsp; Would be like trying to universally sanitize a webpage and remove all the different ways JavaScript could be on that page.</blockquote>

[QUOTE="digitalpoint, post: 1552450, member: 47"] I think the root of it is that XF's image proxy doesn't support SVG images (it supports GIF, JPG, PNG, ICO and WEBP). I assume it's intentional that SVG isn't supported by the image proxy because an SVG image can have embedded JavaScript that executes inside the image itself. You could get some really malicious stuff happening by allowing users to execute JavaScript they wrote and then stuck in an image. That image then is run on the host domain (since the proxy image is coming from the XF site). You know... doing things like inserting ads to the site, stealing login credentials of anyone that viewed the image, etc. The only way to realistically do it would go down a road of trying to whitelist certain allowed SVG tags/attributes inside the image itself and hope you didn't forget something. Would be like trying to universally sanitize a webpage and remove all the different ways JavaScript could be on that page. [/QUOTE]

Verification

We value your privacy

We use essential cookies to make this site work, and optional cookies to enhance your experience.

See further information and configure your preferences

Accept all cookies Reject optional cookies
Essential cookies

These cookies are required to enable core functionality such as security, network management, and accessibility. You may not reject these.

Optional cookies

We deliver enhanced functionality for your browsing experience by setting these cookies. If you reject them, enhanced functionality will be unavailable.

Third-party cookies

Cookies set by third parties may be required to power functionality in conjunction with various service providers for security, analytics, performance or advertising purposes.

Detailed cookie usage

Privacy policy

Reply to thread

We value your privacy