SVG with embedded scripts can lead to XSS attacks

xml2rfc allows script elements in SVG sources.
In HTML output having these script elements can lead to XSS attacks.

Sample XML snippet:

<artwork type="svg" src="data:image/svg+xml,%3Csvg viewBox='0 0 10 10' xmlns='http://www.w3.org/2000/svg'%3E%3Cscript%3E window.alert('Test Alert'); %3C/script%3E%3C/svg%3E">
</artwork>

Impact

This vulnerability impacts website that publish HTML drafts and RFCs.

Patches

This has been fixed in version 3.12.4.

Workarounds

If SVG source is self-contained within the XML, scraping script elements from SVG files.

References

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script

For more information

If you have any questions or comments about this advisory:

Open an issue in xml2rfc
Email us at operational-vulnerability@ietf.org
Infrastructure and Services Vulnerability Disclosure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SVG with embedded scripts can lead to XSS attacks

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

Severity

CVE ID

Weaknesses