Is there anyway to sanitize SVG file in c#, any libraries anything? From client side we are sanitizing the SVG files while uploading , but the security team is asking for a sanitization in serverside too.
Asked
Active
Viewed 1,657 times
2
-
Did you try any HTML sanitizer? – Mr_Green Dec 14 '20 at 07:52
-
When Tried HTML sanitizer , its not picking it up as SVG is XML – ManjuVijayan Dec 15 '20 at 12:21
-
Please provide the svg that didn't work for you. HTMLSanitizer should work. – OfirD Dec 16 '20 at 12:44
2 Answers
3
It is true what your security team say: client-side security is not security. It is just user convenience. Never rely on client-side checks. Anyone wanting to do bad things to your application will bypass client-side checks first thing.
Now, a SVG file can be used in a XSS attack only by leveraging the <script> tag.
Unfortunately, defusing/securing a script is a very complicated topic and prone to errors and both false positives and negatives.
So, I believe your only recourse is to remove scripts altogether. This might not be what you need.
But, if it is, then it's very simple to do. The script tag cannot be masqueraded inside the SVG, or the browser will not recognize it in the first place, making the attack moot. So a simple regex should suffice. Something like,
cleanSVGcode = Regex.Replace(
userSVGcode,
@"<script.*?script>",
@"",
RegexOptions.IgnoreCase|RegexOptions.SingleLine
);
It is possible to sanitize out further sequences. Since, if they're written incorrectly or in an obfuscated way, javascript calls won't work, the number of these sequences is limited.
@"javascript:" => @"syntax:error:"
LSerni
- 55,617
- 10
- 65
- 107
-
2Removing script tags is not sufficient. ex: Add this to an SVG file `
Click here `. Maybe you'll have to add `xmlns:xlink="http://www.w3.org/1999/xlink"` to your SVG root element. This exemple shows that you can execute code without a script tag. – Yanal-Yves Fargialla Jun 29 '21 at 13:12 -
@Yanal-YvesFargialla you're right. Removing extra sequences is trivial, though (example added). – LSerni Jun 29 '21 at 21:37
-
Detecting all script locations is NOT trivial, ex. see slide 11 from https://owasp.org/www-pdf-archive/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf – Imre Pühvel Nov 15 '22 at 13:46
3
I'm primarily a Python developer, but I thought I'd throw some research into the issue for ya. I used to develop for C, so I thought I should at least have a basic understanding of what's going on.
*.SVG files are structured like XML documents, and use the HTML DOM to access JavaScript and CSS functionalities. Trying to enumerate and script out every single catch for potential JavaScript-based security issues doesn't seem realistic, so personally, I'd just entirely remove all JavaScript sectors that do anything more than define simple variables, do math operations, or reference already-defined visual elements from any uploaded *.SVG files.
Since *.SVG files are based on XML and are human-readable, this could be accomplished by iterating through the file either line-by-line like a text file or element-by-element like an XML or HTML file. You'd want to go through and remove all the JavaScript scripts that don't meet the above criteria, save it & then convert it to XML and use a standard XML-sanitation library on it, and then convert that back to *.SVG. I reckon this Github library and this StackOverflow thread could be helpful in that.
I hope my response was helpful!
JohnAlexINL
- 615
- 7
- 15