Directive to disallow external entities in SVG/XML? #300
Comments
|
Is there any browser that does something with such entities? I'm pretty sure that's not the case so I think this attack doesn't exist as far as browsers goes. |
|
I suppose this is somewhat covered in #198, I'll go ahead and close this. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OWASP's top 10 security vulnerabilities [PDF] explains that an SVG (file or inline in HTML documents) that includes reference(s) to external entities "may lead to the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF)" - OWASP XXE prevention cheat sheet.
More information on security issues/example attacks:
https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf
I don't know if this can be restricted using CSP, the OWASP prevention cheat sheet states that DTDs should be disabled to secure the parser. But I figure, if you do not control the parser, CSP could have a directive to not allow for external references inside SVG/XML in the first place.
Feel free to close the issue if this is inapplicable.
The text was updated successfully, but these errors were encountered: