The Woes of Sanitizing SVGs

https://muffin.ink/blog/scratch-svg-sanitization/

58•varun_ch•1h ago

Comments

spankalee•1h ago

This is, by the way, why Google Slides doesn't have SVG support even though there's a nearly 15 year old ticket requesting the feature.

andybak•1h ago

My first thought is "support a tiny subset of svg that probably still covers 90% of real-world use cases".

I do feel that's there's two distinct types of svg - "bunch of paths with fills" and "clever dangerous stuff" where most real SVGs are of the former type.

Fully expect this to be shot down by someone that's thought about this problem for longer than the 120 seconds I just spent. :)

harperlee•1h ago

Fwiw I just thought the same, parse (don’t validate) the bits you like and recreate / reject the input.

varun_ch•57m ago

I wonder if it would be best if this was at the browser level as some sort of new format. Otherwise surely it would be really slow/cumbersome to deal with these in ‘user space’

duped•40m ago

So if you are building something where you control every SVG ever produced and rendered then this is totally reasonable.

If you ever need to interface with other tools that generate SVG you now need to have a way of essentially transpiling SVG from the wild into your tamed SVGs. Oftentimes this is done by hand, by a software developer and designer (sometimes the same person).

And this is for basic functionality that your designers expect and have trivial controls for in their vector editors, like "add a drop shadow."

The article goes into some issues with sanitization itself, and except for <script> these are a bunch of reasonable things that someone might expect to work or not have issues with. Sandboxing rendering isn't an unreasonable approach if you're not writing the parser and renderer yourself.

whycome•37m ago

It always seems like any animated svg loses all of the animation after sanitizing

afavour•35m ago

I think you're right but the lack of industry standard for this kind of thing kills it. People want to be able to take the output of whatever tool they use that exports SVG and put it in a browser. Which isn't an unfair request. But you wouldn't have a guarantee it wouldn't filter out the tool using some obscure SVG functionality.

I'd love to see an agreed standard like OpenGL vs OpenGL ES for SVG. SVG-ES. Everyone agrees on the static, non-scripted elements that should work.

varun_ch•32m ago

The way linked SVGs render from within img tags is basically perfect for SVG images (which as I understand is not standardized but is largely the same across browsers).

If someone formalizes this as a new format, please give it a new name! tvg tiny vector graphics? savg safe vector graphics?

And keep the scope as simple as possible so it actually ships! Don’t try implementing a binary format or something.

ambicapter•27m ago

.rvg, Restricted Vector Graphics?

hackeman300•24m ago

Someone did this already and did call it tinyVG! https://tinyvg.tech/

LorenPechtel•29m ago

Yeah, I think that's the real answer.

Look at what Microsoft did with Excel--the dangerous stuff is behind a switch.

Thus, solution:

Add two bits to the tag.

SVG1 does not execute any sort of script.

SVG2 does not follow links.

SVG3 is actually SVG1 + SVG2 as these are bit flags, not numbers.

Additional bits are reserved for future use if any other issues are found.

The only real safety is in the engine, not by any sanitizer.

hackeman300•25m ago

Seems like someone already implemented your idea. https://tinyvg.tech/

Springtime•46m ago

It seems the reason they're inlined in the page at all is to measure things briefly like bounding boxes (not sure the full extent as it didn't cover that), before subsequent removal. I'm not familiar with Scratch and its use of user-submitted SVGs but I'd be curious to read more about what they're doing that required it be inlined specifically.

(This isn't a comment on the challenges in proper sanitization fwiw, as I've needed to do various of the same things myself)

esafak•42m ago

Is there a browser-friendly vector alternative?

ikkun•32m ago

I do wish tinyVG or similar would take off, but I don't see that ever actually happening. the only thing I think it's missing is animation support, which is pretty niche but not as niche as <script> tags.

https://tinyvg.tech/

philo23•26m ago

It'd be nice if there was a sandbox attribute you could add to inline <svg> tags, like the <iframe sandbox> attribute that'd let you opt out of all the potentially "dynamic" stuff inside of an SVG like scripts and event handlers, or even just literally sandbox the entire thing from accessing the "parent" HTML page's context/cookies/etc just like an iframe.

I'm sure it'd just open up a whole other can of worms though... not to mention having to wait for browsers to actually support it.

The real solution here is definitely CSP + basic sanitisation though.

simonw•19m ago

I'm glad this article includes the only credible fix for the HTTP leak problems: CSP.

A useful thing I learned recently is that, while CSP headers are usually set using HTTP headers, you can also reliably set them directly in HTML - for example for HTML generated directly on a page where HTTP headers don't come into play:

  <iframe sandbox="allow-scripts" srcdoc="
    <meta http-equiv='Content-Security-Policy'
        content='default-src none; script-src unsafe-inline; style-src unsafe-inline;'>
    <!-- untrusted content here -->
  "></iframe>

It feels like this shouldn't work, because JavaScript in the untrusted content could use the DOM to delete or alter that meta tag... but it turns out all modern browsers specifically lock that down, treating those CSP rules as permanent as soon as that meta tag has loaded before any malicious code has the chance to subvert them.

I had Claude Code run some experiments to help demonstrate this a few weeks ago: https://github.com/simonw/research/tree/main/test-csp-iframe...

etchalon•18m ago

I don't understand why it wasn't immediately understood that SVG is as dangerous as HTML.

It is not, and never was, an image format. It's a markup language.

SpyCoder77•7m ago

I did not expect to see GarboMuffin.

Ask HN: Does Continuous Pen Testing Exist?

Canada's first sovereign wealth fund

Decoupled DiLoCo: Resilient, Distributed AI Training at Scale

Guess-Verify-Refine: Data-Aware Top-K for Sparse-Attention Decoding on Blackwell

Why I'll Take "Socialist" Healthcare over the American "Freedom" to Go Bankrupt

Gigabit First Nation by 2030

How to Install WordPress on Debian 12 with Nginx

Intel Ends Open Ecosystem Community/Evangelism Projects

Artificial Intelligence: Foundations of Computational Agents

Unlimited – Free 360° feedback for teams up to 10 employees

Sqlite3 WebAssembly and JavaScript

Reimagining Kernel Generation at the PTX Layer

Neo Semiconductor 3D X-DRAM for AI processors passed proof-of-concept validation

Sperm carry unexpected genetic messages – Science – AAAS

Sum-Check as an Algebraic Tensor Reduction: Part I

I self-host a time-sorted list of STEM, Arts and Design articles

Good News If You Have a Sony TV and Were Hoping It Would Become Less Useful

Show HN: Pylon – Sentry Errors to PRs via Claude Code, with Telegram Approval

With TPU 8, Google Makes GenAI Systems Better, Not Just Bigger

A Deductive System for (Hardware-Software) Contract Satisfaction Proofs

Ask HN: Any examples of useful AI agents?

GPU Spot Prices Surge 114% in Six Weeks

Jack Dorsey's Block launches new Bitcoin hardware wallet, Bitkey

Study Finds a Third of New Websites Are AI-Generated

A Third of New Websites Created Since 2022 are AI-Generated

Agentic World Modeling: Foundations, Capabilities, Laws, and Beyond

Claude Desktop Buddy

Intentional Inefficiency in Software Design

Source code protection in JavaScript desktop apps

Show HN: Sverklo – local-first MCP code intelligence (and the runs we lose)