0

I use an online photo editor on my web store. User can edit photo using svg-edit and save changes. User results are stored as SVG source code (...). I have to send that SVG source code through the PHP form, save it in database and show in the Administration Panel.

I'm afraid of any injections or attacks on my web store. Is there any possibility to make it secure?

I can't generate private hash for SVG source code, because it's client side and any request I can make is via AJAX.

@EDIT

Example: user saves ... code and that code is being sent through POST. In PHP script I can access $svg = $_POST['svg_source']; I am worring about injection in that POST value. Attacker may inject any HTML, JS, other, source code.

@EDIT:

And then in DB I can store that $_POST value ... and view it in PA. But the attacker can write some ... code and it will be executed in PA where I view SVG image (based on SVG code)

@EDIT:

I need some solution to check that SVG code is valid and don't contain any JS, HTML code. OR - I need some solution for secure viewing SVG code on a website.

Krzysztof Piątkowski
  • 43
  • 6
  • what kind of injections? sql? css/html? svg? if you're using proper defensive programming techniques, you shouldn't be worrying about injection attacks at all. – Marc B Aug 23 '13 at 14:46
  • Example: user saves ... code and that code is being sent through POST. In PHP script I can access $svg = $_POST['svg_source']; I am worring about injection in that POST value. Attacker may inject any HTML, JS, other, source code. – Krzysztof Piątkowski Aug 23 '13 at 14:52
  • and what's the problem with that? ANY data a user submits via a form will show up in _GET or _POST anyways... – Marc B Aug 23 '13 at 14:52
  • And then in DB I can store that $_POST value ... and view it in PA. But the attacker can write some code and it will be executed in PA where I view SVG image (based on SVG code) – Krzysztof Piątkowski Aug 23 '13 at 14:55
  • Add those needed informations from your comments in the question directly so people reading the question don't have to read 3-4 comments to understand it fully. – Jonathan Drapeau Aug 23 '13 at 14:57

1 Answers1

0

Consider wrapping the user input with something like mysql_escape_string() before storing it into a database. That will give you some mitigation as far as SQL injection attacks.

As far as HTML/javascript injection, what you need to do is validate the SVG file against W3 standards. I did a quick search, and found this:

Sanitizing SVG using PHP

Which leads to these: http://us3.php.net/manual/en/domdocument.schemavalidate.php and http://us3.php.net/manual/en/domdocument.validate.php

I hope this is helpful.

EDIT :

As suggested in the comments below, you could parse the SVG file by whitelisting only the elements you deem as safe. Looks like there's already a good posting that covers this:

Sanitizing an SVG document by whitelisting elements

Community
  • 1
  • 1
Emo Mosley
  • 525
  • 3
  • 9
  • Since SVG can have [embedded JavaScript](http://www.w3.org/TR/SVG/script.html#ScriptElement) and still be valid, and allowing arbitrary Javascript to be executed on your site is practically the definition of XSS … validating against W3C standards isn't going to do a jot to defend against XSS. – Quentin Aug 23 '13 at 16:20
  • @Quentin - Yep - good point. I guess what's needed is to parse the SVG and eliminate any – Emo Mosley Aug 23 '13 at 16:53
  • 1
    Blacklists are doomed to failure. You need to whitelist the specific elements and attributes that are considered safe. – Quentin Aug 23 '13 at 16:54
  • @Krzysztof Piątkowski - Take a look at the edit near the bottom of my answer and see if that link helps you out. – Emo Mosley Aug 23 '13 at 17:37