From 8556a9e4479276bf5d5f4b9ce8d38c0d59e42301 Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <mail@peterbe.com>
Date: Mon, 15 Mar 2021 19:10:19 -0400
Subject: [PATCH] Check of unsafe HTML in SVG files (#3250)

* Check of unsafe HTML in SVG files

Fixes #3249

* mention in index.html file

* feedbacked
---
 filecheck/checker.js                    | 17 ++++++++++++++---
 testing/tests/filecheck.test.js         | 25 +++++++++++++++++++++++++
 testing/tests/samplefiles/index.html    |  3 +++
 testing/tests/samplefiles/onhandler.svg |  3 +++
 testing/tests/samplefiles/script.svg    |  3 +++
 5 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 testing/tests/filecheck.test.js
 create mode 100644 testing/tests/samplefiles/index.html
 create mode 100644 testing/tests/samplefiles/onhandler.svg
 create mode 100644 testing/tests/samplefiles/script.svg

diff --git a/filecheck/checker.js b/filecheck/checker.js
index 4b9049656d82..bc892949fb87 100644
--- a/filecheck/checker.js
+++ b/filecheck/checker.js
@@ -62,9 +62,20 @@ async function checkFile(filePath, options) {
       throw new Error(`${filePath} does not appear to be an SVG`);
     }
     const $ = cheerio.load(content);
-    if ($("script").length) {
-      throw new Error(`${filePath} contains a <script> tag`);
-    }
+    const disallowedTagNames = new Set(["script", "object", "iframe", "embed"]);
+    $("*").each((i, element) => {
+      const { tagName } = element;
+      if (disallowedTagNames.has(tagName)) {
+        throw new Error(`${filePath} contains a <${tagName}> tag`);
+      }
+      for (const key in element.attribs) {
+        if (/(\\x[a-f0-9]{2}|\b)on\w+/.test(key)) {
+          throw new Error(
+            `${filePath} <${tagName}> contains an unsafe attribute: '${key}'`
+          );
+        }
+      }
+    });
   } else {
     // Check that the file extension matches the file header.
     const fileType = await FileType.fromFile(filePath);
diff --git a/testing/tests/filecheck.test.js b/testing/tests/filecheck.test.js
new file mode 100644
index 000000000000..8dcc89ead234
--- /dev/null
+++ b/testing/tests/filecheck.test.js
@@ -0,0 +1,25 @@
+const fs = require("fs");
+const path = require("path");
+
+const { checkFile } = require("../../filecheck/checker");
+
+const SAMPLES_DIRECTORY = path.join(__dirname, "samplefiles");
+
+describe("checking files", () => {
+  it("should spot SVGs with scripts inside them", async () => {
+    const filePath = path.join(SAMPLES_DIRECTORY, "script.svg");
+    // Sanity check the test itself
+    console.assert(fs.existsSync(filePath), `${filePath} does not exist`);
+    await expect(checkFile(filePath)).rejects.toThrow(
+      "contains a <script> tag"
+    );
+  });
+  it("should spot SVGs with onLoad inside an element", async () => {
+    const filePath = path.join(SAMPLES_DIRECTORY, "onhandler.svg");
+    // Sanity check the test itself
+    console.assert(fs.existsSync(filePath), `${filePath} does not exist`);
+    await expect(checkFile(filePath)).rejects.toThrow(
+      "<path> contains an unsafe attribute: 'onload'"
+    );
+  });
+});
diff --git a/testing/tests/samplefiles/index.html b/testing/tests/samplefiles/index.html
new file mode 100644
index 000000000000..43cdfe75b71a
--- /dev/null
+++ b/testing/tests/samplefiles/index.html
@@ -0,0 +1,3 @@
+<!-- Must be mention in the adjacent index.html file -->
+<img src="script.svg" />
+<img src="onhandler.svg" />
diff --git a/testing/tests/samplefiles/onhandler.svg b/testing/tests/samplefiles/onhandler.svg
new file mode 100644
index 000000000000..c2c92e81edc1
--- /dev/null
+++ b/testing/tests/samplefiles/onhandler.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="42.667" height="25.6"
+viewBox="0 0 40 24"><path oNload=alert(1) d="M28 0l4.59 4.59-9.76 9.75-8-8L0 21.17
+2.83 24l12-12 8 8L35.41 7.41 40 12V0z"/></svg>
diff --git a/testing/tests/samplefiles/script.svg b/testing/tests/samplefiles/script.svg
new file mode 100644
index 000000000000..26471905890a
--- /dev/null
+++ b/testing/tests/samplefiles/script.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="42.667" height="25.6"
+viewBox="0 0 40 24"><path d="M28 0l4.59 4.59-9.76 9.75-8-8L0 21.17
+2.83 24l12-12 8 8L35.41 7.41 40 12V0z"/><Script>alert(1)</script></svg>