Malicious SVG images sent over Facebook Messenger are being used to deliver Locky ransomware.
An SVG file can contain a <script> tag, which contains executable JavaScript as CDATA. If it’s an image on a Web page, the JavaScript can run in the browser. This is a potential XSS weakness, if users can submit images to a site.
Continue reading
Today on Twitter I came upon an article, “SVG Has More Potential,” by Mike Riethmuller. He points out that SVG is more than just “scalable vector graphics,” and he demonstrates that its images can be responsive.
Continue reading
There are a lot of announcements from W3C that are format-related, and I’m not always sure what to do with them. For the moment, I’ll put a bunch of recent links into this post, and perhaps will do the same occasionally to keep up to date.
First Draft of Efficient XML Interchange (EXI) Profile Published
Scalable Vector Graphics (SVG) 1.1 (Second Edition) is a W3C Recommendation
Last Call: CSS Speech Module
Three CSS Drafts Published; First Draft of Conditional Rules Module Level 3
CSS Values and Units Module Level 3 Draft Updated
CSS Image Values and Replaced Content Module Level 3 Draft Updated
Files that Last: Digital Preservation for Everygeek, an e-book to bring the message of digital preservation to the broader geek world.
Mad File Format Science 
More on SVG risks
SVG is a risky format in more ways than I’d realized. I’d previously mentioned the risk of cross-site scripting with embedded JavaScript, but I’ve found it gets worse.
The article “Crouching Tiger – Hidden Payload: Security Risks of Scalable Vector Graphics” covers the hazards in detail. There are two problems: (1) HTML5 requires SVG support in multiple contexts, and (2) SVG can have embedded JavaScript and CSS.
SVG is XML, and embedding it in HTML means switching between two different parsing modes. The author, Thorsten Holz at Ruhr-University Bochum, states that “SVG files must be considered fully functional, one-file web applications potentially containing HTML, JavaScript, Flash, and other interactive code structures.” I still haven’t digested all the content, but it describes lots of ways SVG could be exploited.
Websites that allow third-party posting should disallow or filter SVG content. WordPress disallows SVG uploads by default.
SVG is a designed-in danger in HTML5.
Comments Off on More on SVG risks
Posted in commentary
Tagged HTML, security, SVG