7

We have a web service where logged in users can create web page content and write custom CSS for their pages. All the HTML goes through a whitelist parser and doesn't allow any executable content. All the CSS is put through a whitelist parser that verifies all CSS.

It seems that browsers do not execute JavaScript embedded in SVG files when used this way

selector
{
    filter: url("data:image/svg+xml;base64,...#filter");
}

However, I cannot find a spec that says that browsers should not run JavaScript in that data URL.

Is it safe to allow data: URLs for function url() in property filter? I'm primarily thinking XSS attacks but I obviously would like to hear about other vulnerabilities, too.

The intended use case is to e.g. allow custom content filtering to theme colors so there's no need to allow JS in SVG. I'm basically wondering if I can safely add rule that says that prefix data:image/svg+xml is safe value for CSS function url when used in property filter.

I'm also aware that the Content-Security-Policy would need to include data: in the default-src because the specs failed to define SVG handling any better. As a result, I also need script-src 'self'; object-src 'self'.

Mikko Rantalainen
  • 513
  • 2
  • 11
  • And yes, old browsers had all kind of security vulnerabilities where e.g. `javascript:` URLs were executed everywhere and there were properties like `behavior` or the function `expression()`. I'm interested in up-to-date browsers and the behavior defined in actual specs only. – Mikko Rantalainen Jun 17 '21 at 08:20

1 Answers1

1

The best spec I know is W3C Editor's Draft SVG Integration which says e.g.

For SVG to adhere to the security model of the Web platform, certain SVG features are required to be disabled depending on how the SVG document is being used. For example, SVG documents referenced by an HTML ‘img’ element are required to have scripting disabled.

in non-normative introduction.

It defines resource-document-mode in normative text and says that

SVG documents loaded due to a reference to an external document from any of the following features must use the resource document referencing mode:
[...]
the clip-path, cursor, fill, filter stroke, marker-mid, marker-start, marker-end and mask properties

However, that doesn't list the filter property so its status is still unknown. I think the intent of that spec is to say it shouldn't execute scripts.

Update December 2021: It seems that filter has been added to the normative text in current draft so my guess about the intent was correct: https://svgwg.org/specs/integration/#resource-document-mode

So once the SVG Integration spec is final, allowing data: urls for CSS filter property should be safe (but make sure to test real world browsers, too) because scripting content will not be executed there.

Mikko Rantalainen
  • 513
  • 2
  • 11