From 67ce6a6cd0f1c7b68cbccac5b12e990ec4787f2b Mon Sep 17 00:00:00 2001 From: Peter Bacon Darwin Date: Sat, 5 Dec 2015 18:45:18 +0000 Subject: [PATCH] fix($sanitize): blacklist SVG `` elements The use element can reference external svg's (same origin) and can include xlink javascript urls or foreign object that can execute xss. This change disallows `` elements in sanitized SVG markup. An example of a malicious SVG document would be: SVG to sanitize: ``` ``` External SVG file (test.svg) ``` ``` Here the SVG to sanitize loads in the `test.svg` file via the `` element. The sanitizer is not able to parse this file, which contains malicious executable mark-up. This can only be taken advantage of if the external file is available via the same origin restrictions in place. --- src/ngSanitize/sanitize.js | 2 +- test/ngSanitize/sanitizeSpec.js | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js index 8d869ba2af45..aed08d101406 100644 --- a/src/ngSanitize/sanitize.js +++ b/src/ngSanitize/sanitize.js @@ -242,7 +242,7 @@ var inlineElements = angular.extend({}, optionalEndTagInlineElements, toMap("a,a // They can potentially allow for arbitrary javascript to be executed. See #11290 var svgElements = toMap("circle,defs,desc,ellipse,font-face,font-face-name,font-face-src,g,glyph," + "hkern,image,linearGradient,line,marker,metadata,missing-glyph,mpath,path,polygon,polyline," + - "radialGradient,rect,stop,svg,switch,text,title,tspan,use"); + "radialGradient,rect,stop,svg,switch,text,title,tspan"); // Blocked Elements (will be stripped) var blockedElements = toMap("script,style"); diff --git a/test/ngSanitize/sanitizeSpec.js b/test/ngSanitize/sanitizeSpec.js index 77c9372ea87d..b5c9d33bc0b2 100644 --- a/test/ngSanitize/sanitizeSpec.js +++ b/test/ngSanitize/sanitizeSpec.js @@ -292,6 +292,13 @@ describe('HTML', function() { '', ''); }); + + it('should not accept SVG `use` tags', function() { + expectHTML('') + .toBeOneOf('', + '', + ''); + }); });