Sanitize use tag in SVG

imgproxy · Feb 25, 2023 · 62f8d08 · 62f8d08
1 parent 947d65c
commit 62f8d08
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 
 ### Change
 - Make the `expires` processing option set `Expires` and `Cache-Control` headers.
+- Sanitize `use` tags in SVGs.
 
 ## [3.13.2] - 2023-02-15
 ### Change

diff --git a/svg/svg.go b/svg/svg.go
@@ -35,6 +35,8 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
 
 	ignoreTag := 0
 
+	var curTagName string
+
 	for {
 		tt, tdata := l.Next()
 
@@ -67,15 +69,28 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
 
 			return &newData, nil
 		case xml.StartTagToken:
-			if strings.ToLower(string(l.Text())) == "script" {
+			curTagName = strings.ToLower(string(l.Text()))
+
+			if curTagName == "script" {
 				ignoreTag++
 				continue
 			}
+
 			buf.Write(tdata)
 		case xml.AttributeToken:
-			if _, unsafe := unsafeAttrs[strings.ToLower(string(l.Text()))]; unsafe {
+			attrName := strings.ToLower(string(l.Text()))
+
+			if _, unsafe := unsafeAttrs[attrName]; unsafe {
 				continue
 			}
+
+			if curTagName == "use" && (attrName == "href" || attrName == "xlink:href") {
+				val := strings.TrimSpace(strings.Trim(string(l.AttrVal()), `"'`))
+				if len(val) > 0 && val[0] != '#' {
+					continue
+				}
+			}
+
 			buf.Write(tdata)
 		default:
 			buf.Write(tdata)