Wiki
Clone wikisvg-out / Security check
The security check contains of the following parts:
- The root node in the file has to be tagged <svg> (only server).
- Check the SVG for suspicious elements (see below).
The SVG is checked for the following suspicious regular expressions:
"<script", "javascript:", "&#[0-9]+", "&#x[0-9abcdef]+", "onfocusin", "onfocusout", "onactivate", "onclick", "onmousedown", "onmouseup", "onmouseover", "onmousemove", "onmouseout", "onload", "onunload", "onabort", "onerror", "onresize", "onscroll", "onzoom", "onbegin", "onend", "onrepeat", "onkey", "ondblclick", "\\bon[a-z]*="
This check is performed after:
- converting the SVG to lower case
- removing characters which might compromise the check
All characters matching the below are removed prior to the check. The ^ symbol is a negation meaning - the expression below means: remove all characters which are not a-z, 0-9, ., etc.
{"[^a-z0-9.,;:=<>+\\-\\/#\\*\\(\\)&]"}
Remark: these alterations are of course only done for checking purposes and don't change the SVG
In case you are aware of a threat which is not covered by the list above please let me know.
Updated