Filed an issue to address this particular concern.
Thanks joepie91 for finding the folks responsible and getting the conversation started.
Currently, SVG is a security foot-cannon that allows attackers to upload a Stored XSS payload when a user views the image directly. Example.
Specifically, you can include JavaScript in an SVG document, and it will execute in all browsers if accessed directly.
This is contrary to what developers expect from a MIME type that begins with image/.
I'd like to propose:
- That the current use of SVG be moved to
application/svg+xml
- If we are to have an
image/svg+xml
MIME type, then clients MUST not allow JavaScript (or any other code execution)
Thank you for your time.
As you say, the problem only occurs when a user views the image directly..
The same is true for other images though. Remember when IE happily accepted script tags in GIF files? The
X-Content-Type-Options: nosniff
header was invented for this.But the generally accepted best practice is to just not allow image uploads as is. I suggest re-rendering the images in a preferred format. Do this by "taking the pixels" and moving them to a new file. There's no way to comprehensively remove all unnecessary strings, comments and other potential danger (whitelist versus blacklist approach).