- Gary McGath, Freelance Technical Writer
Are you looking for expert, reliable writing on computer technology? Drop me a note. - Follow Mad File Format Science on WordPress.com
-
Recent Posts
- Technical issues with the Hunter Biden email
- “Shadow attack” allows alteration of signed PDF files
- Apple HEIC vs. students
- A new homeschooling resource on file formats
- Helping a nation of homeschoolers: Digital preservation
- Going on standby
- Preserving Yahoo Groups
- Nefertiti, now available as a 3D scan
RSS feed
File formats, file validation, archival software, and other weird things
Files that Last: Digital Preservation for Everygeek, an e-book to bring the message of digital preservation to the broader geek world.
More on SVG risks
SVG is a risky format in more ways than I’d realized. I’d previously mentioned the risk of cross-site scripting with embedded JavaScript, but I’ve found it gets worse.
The article “Crouching Tiger – Hidden Payload: Security Risks of Scalable Vector Graphics” covers the hazards in detail. There are two problems: (1) HTML5 requires SVG support in multiple contexts, and (2) SVG can have embedded JavaScript and CSS.
SVG is XML, and embedding it in HTML means switching between two different parsing modes. The author, Thorsten Holz at Ruhr-University Bochum, states that “SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures.” I still haven’t digested all the content, but it describes lots of ways SVG could be exploited.
Websites that allow third-party posting should disallow or filter SVG content. WordPress disallows SVG uploads by default.
SVG is a designed-in danger in HTML5.
Share this:
Related