Fixed Asset upload accepts SVG with JavaScript

Kirby

Well-known member
Affected version
2.2.10
XenForo does accept SVG with embedded JavaScript like
Code:
<svg viewBox="0 0 390 82" xmlns="http://www.w3.org/2000/svg" fill-rule="evenodd" clip-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="2">
    <script>
    <![CDATA[
    alert('Code executed!');
    ]]>
    </script>
    <path d="M27.05 40.777l10.368-16.752h9.81L31.445 46.936m-2.427 3.523l20.383 29.722h-9.81L24.729 57.508 9.81 80.181H0L20.383 50.81 2.115 24.025h9.868l12.746 20.501M59.772 47.227c0-1.264.042-2.423.102-3.531l.013-.405h.011c.314-4.982 1.253-8.359 2.841-10.073 1.977-2.134 6.294-3.202 12.952-3.202 6.618 0 10.926.911 12.923 2.731 1.849 1.686 2.831 5.217 2.968 10.544h8.294c-.513-7.392-2.052-12.428-4.624-15.095-3.212-3.328-9.986-4.993-20.325-4.993-9.477 0-15.84 1.918-19.09 5.756-3.251 3.838-4.876 11.357-4.876 22.555 0 12.103 1.615 20.042 4.847 23.821 3.23 3.78 10.015 5.669 20.352 5.669 8.89 0 15.106-1.165 18.651-3.495 3.544-2.33 5.316-6.413 5.316-12.248l-.058-2.056h-8.4v1.762c0 3.838-.99 6.335-2.967 7.49-1.977 1.156-6.276 1.733-12.894 1.733-6.971 0-11.406-1.214-13.305-3.641-1.899-2.429-2.848-8.068-2.848-16.918h40.414v-4.407c0-.681-.007-1.347-.02-1.997H59.772z" fill="#a5cae4" fill-rule="nonzero"/>
    <path d="M59.886 43.292l-.011.403c.007-.135.015-.269.024-.403h-.013zM134.993 30.016c5.248 0 8.791.832 10.632 2.497 1.841 1.665 2.761 4.905 2.761 9.721v1.057h8.216c-.043-7.787-1.455-13.083-4.251-15.859-2.839-2.82-8.273-4.229-16.301-4.229-9.947 0-16.173 2.879-18.679 8.634l-.235-.176.235-7.636h-7.93v19.266h8.415c1.044-8.84 6.745-13.275 17.137-13.275" fill="#a5cae4" fill-rule="nonzero"/>
    <path fill="#a5cae4" d="M109.441 47.227h8.224v32.954h-8.224zM148.386 47.227h8.224v32.954h-8.224z"/>
    <path d="M177.32 35.655V7.637h40.121V0h-49.167v43.292h46.85c.258-2.936.663-5.474 1.204-7.637H177.32z" fill="#fff" fill-rule="nonzero"/>
    <path fill="#fff" d="M168.274 47.227h9.046v32.954h-9.046z"/>
    <path d="M262.468 52.103c0 9.986-.873 16.165-2.614 18.533-1.743 2.37-6.276 3.554-13.599 3.554-7.283 0-11.798-1.184-13.54-3.554-1.743-2.368-2.614-8.547-2.614-18.533 0-1.743.028-3.364.082-4.876h-8.618c-.064 1.543-.098 3.162-.098 4.876 0 12.062 1.546 19.894 4.641 23.497 3.091 3.603 9.81 5.404 20.147 5.404 10.377 0 17.113-1.801 20.208-5.404 3.093-3.603 4.641-11.435 4.641-23.497 0-1.714-.036-3.333-.098-4.876h-8.619c.054 1.512.081 3.133.081 4.876M232.715 33.57c1.743-2.368 6.257-3.554 13.54-3.554 7.322 0 11.857 1.186 13.599 3.554 1.154 1.569 1.922 4.816 2.312 9.721h8.597c-.609-7.15-2.039-12.051-4.301-14.684-3.094-3.603-9.83-5.405-20.207-5.405-10.338 0-17.055 1.802-20.147 5.405-2.261 2.633-3.692 7.534-4.302 14.684h8.596c.391-4.905 1.16-8.152 2.313-9.721" fill="#fff" fill-rule="nonzero"/>
    <path fill="#fff" d="M278.848 47.227h8.224v32.954h-8.224z"/>
    <path d="M300.818 29.546c6.265 0 9.398 2.879 9.398 8.636 0 .509-.057 1.507-.176 2.995l-.247 2.115h8.106l.13-4.582c0-10.652-5.169-15.978-15.507-15.978-7.481 0-12.846 2.644-16.095 7.93l-.176-.176.822-6.461h-8.225v19.267h8.377c.831-9.153 5.352-13.746 13.593-13.746M368.033 28.607c-3.095-3.602-9.83-5.405-20.207-5.405-10.338 0-17.055 1.803-20.148 5.405-2.26 2.633-3.691 7.534-4.3 14.684h8.594c.391-4.905 1.161-8.153 2.314-9.721 1.743-2.369 6.257-3.554 13.54-3.554 7.322 0 11.856 1.185 13.599 3.554 1.742 2.37 2.613 8.547 2.613 18.533s-.871 16.164-2.613 18.533c-1.743 2.369-6.277 3.554-13.599 3.554-7.283 0-11.797-1.185-13.54-3.554-1.743-2.369-2.614-8.547-2.614-18.533 0-1.744.028-3.364.081-4.876h-8.617c-.064 1.543-.098 3.163-.098 4.876 0 12.062 1.546 19.893 4.64 23.496 3.093 3.603 9.81 5.405 20.148 5.405 10.377 0 17.112-1.802 20.207-5.405 3.094-3.603 4.641-11.434 4.641-23.496 0-12.061-1.547-19.893-4.641-23.496" fill="#fff" fill-rule="nonzero"/>
    <g>
        <path d="M380.485 26.823h2.517c1.106 0 1.658-.447 1.658-1.339 0-.659-.083-1.085-.25-1.279-.166-.193-.533-.289-1.099-.289h-2.826v2.907zm-1.019 3.955v-7.781h3.836c1.584 0 2.377.76 2.377 2.278 0 1.105-.356 1.778-1.069 2.017.639.22.96.72.96 1.498v1.988h-1.02V28.99c0-.832-.38-1.248-1.139-1.248h-2.926v3.036h-1.019zm3.117-10.058c-1.686 0-3.124.608-4.316 1.823-1.192 1.215-1.788 2.685-1.788 4.41s.596 3.197 1.788 4.415c1.192 1.219 2.63 1.828 4.316 1.828 1.677 0 3.112-.609 4.299-1.828 1.19-1.218 1.784-2.69 1.784-4.415s-.593-3.195-1.778-4.41c-1.185-1.215-2.621-1.823-4.305-1.823m.009-.72c1.905 0 3.534.68 4.889 2.038 1.356 1.358 2.034 2.997 2.034 4.915 0 1.918-.678 3.558-2.034 4.92-1.355 1.361-2.984 2.042-4.889 2.042-1.924 0-3.566-.678-4.925-2.038-1.358-1.358-2.037-2.999-2.037-4.924 0-1.918.679-3.557 2.037-4.915 1.359-1.358 3.001-2.038 4.925-2.038" fill="#d7edfc" fill-rule="nonzero"/>
    </g>
</svg>

While this is not as bad as it could be (browsers should not execute JavaScript in SVG if used via <img>) I think this should not be possible (or at least only if explicity allowed by a setting/option) as users could stil lbe tricked into accessing such a SVG by linking to it (in which case the codes does get executed!),
 
Top Bottom