有什么方法可以使用户上传的SVG图像免受代码注入等的影响？ [英] Is there any way to make user uploaded SVG images safe from code injection etc?

问题描述

我想在网站上显示用户上传的SVG图像，但是它们很容易受到攻击：

I want to display user uploaded SVG images on a website, but they're quite open to exploits:

• https://security.stackexchange.com/questions/11384/exploits-or-其他安全风险与svg上载


• https://security.stackexchange.com/questions/36447/img-tag-vulnerability

• https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload
• https://security.stackexchange.com/questions/36447/img-tag-vulnerability

例如，任意javascript都可以嵌入SVG 中。性能利用方面也存在问题，但我会考虑优先级较低的问题。

For example, arbitrary javascript can be embedded in SVG. There's also issues with performance exploits, but I'd consider those lower priority.

是否有任何机制可以使SVG更加安全并仅将其用作映像？我可以简单地信任< img src = / media / user-uploaded-image.svg /> 吗？

Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust <img src="/media/user-uploaded-image.svg" />?

Wikipedia / Wikimedia Commons托管SVG文件。有谁知道他们采取了什么措施来防止SVG攻击？

Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?

推荐答案

Wikipedia / Wikimedia Commons托管了SVG文件。有谁知道他们采取了什么措施来防止SVG攻击？

Wikipedia/Wikimedia Commons hosts SVG files. Does anyone know what measures they take to prevent SVG exploits?

他们通过单独的主机名（特别是<$ c $）提供上传的文件c> upload.wikimedia.org 。您可以跨站点脚本到自己喜欢的所有内容中，但是并不能为您带来任何收益：它与 en.wikipedia.org 的起源不同，并且不能

They serve the uploaded files from a separate hostname, specifically upload.wikimedia.org. You can cross-site-script into there all you like but it doesn't get you anything: it lives in a different origin to en.wikipedia.org and can't touch its cookies or interact with its script.

这最终是处理文件上传的唯一密封方法，这也是大多数大型公司所做的。彻底扫描允许您允许使用任意文件时存在的所有众多晦涩的XSS可能性实在太困难了。

This is ultimately the only airtight way to handle file uploads, and what most of the big players do. It is just too difficult to do a thorough scan for all the many obscure XSS possibilities that exist when you allow arbitrary files.

信任< img src = / media / user-uploaded-image.svg /> ？

< img> 的作用并不重要，用户可以直接直接导航到SVG地址，然后执行在网站的原始位置显示整页脚本。

It doesn't really matter what <img> does—the user can simply be navigated directly to the SVG address and it'll execute script full-page in the site's origin.

这篇关于有什么方法可以使用户上传的SVG图像免受代码注入等的影响？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！