Check of unsafe HTML in SVG files (#3250)

* Check of unsafe HTML in SVG files Fixes #3249 * mention in index.html file * feedbacked
mdn · Mar 15, 2021 · 8556a9e · 8556a9e
1 parent 51dcc55
commit 8556a9e
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 3 deletions.
diff --git a/filecheck/checker.js b/filecheck/checker.js
@@ -62,9 +62,20 @@ async function checkFile(filePath, options) {
       throw new Error(`${filePath} does not appear to be an SVG`);
     }
     const $ = cheerio.load(content);
-    if ($("script").length) {
-      throw new Error(`${filePath} contains a <script> tag`);
-    }
+    const disallowedTagNames = new Set(["script", "object", "iframe", "embed"]);
+    $("*").each((i, element) => {
+      const { tagName } = element;
+      if (disallowedTagNames.has(tagName)) {
+        throw new Error(`${filePath} contains a <${tagName}> tag`);
+      }
+      for (const key in element.attribs) {
+        if (/(\\x[a-f0-9]{2}|\b)on\w+/.test(key)) {
+          throw new Error(
+            `${filePath} <${tagName}> contains an unsafe attribute: '${key}'`
+          );
+        }
+      }
+    });
   } else {
     // Check that the file extension matches the file header.
     const fileType = await FileType.fromFile(filePath);

diff --git a/testing/tests/filecheck.test.js b/testing/tests/filecheck.test.js
@@ -0,0 +1,25 @@
+const fs = require("fs");
+const path = require("path");
+
+const { checkFile } = require("../../filecheck/checker");
+
+const SAMPLES_DIRECTORY = path.join(__dirname, "samplefiles");
+
+describe("checking files", () => {
+  it("should spot SVGs with scripts inside them", async () => {
+    const filePath = path.join(SAMPLES_DIRECTORY, "script.svg");
+    // Sanity check the test itself
+    console.assert(fs.existsSync(filePath), `${filePath} does not exist`);
+    await expect(checkFile(filePath)).rejects.toThrow(
+      "contains a <script> tag"
+    );
+  });
+  it("should spot SVGs with onLoad inside an element", async () => {
+    const filePath = path.join(SAMPLES_DIRECTORY, "onhandler.svg");
+    // Sanity check the test itself
+    console.assert(fs.existsSync(filePath), `${filePath} does not exist`);
+    await expect(checkFile(filePath)).rejects.toThrow(
+      "<path> contains an unsafe attribute: 'onload'"
+    );
+  });
+});
diff --git a/testing/tests/samplefiles/index.html b/testing/tests/samplefiles/index.html
@@ -0,0 +1,3 @@
+<!-- Must be mention in the adjacent index.html file -->
+<img src="script.svg" />
+<img src="onhandler.svg" />
diff --git a/testing/tests/samplefiles/onhandler.svg b/testing/tests/samplefiles/onhandler.svg
diff --git a/testing/tests/samplefiles/script.svg b/testing/tests/samplefiles/script.svg