SVG XSS Defence Scenarios

I've been looking for a way to defend aginst XSS and other JavaScript being included in a malicious SVG file. Based on suggestions from friends, I've come up with a few scenarios which I've included here, if you have any other suggestions I can add to this list, please get in touch (robin@digi.ninja).

• Direct view - vulnerable - The file is linked to directly.
• Direct view with content-disposition: attachment - not vulnerable - Headers are sent to force the file to be downloaded.
• Direct view with CSP - not vulnerable - The Content Security Policy is set to disallow inline JavaScript.
• Image Tags - not vulnerable - The SVG is referenced through image tags which prevent scripts.
• Image Tags With CSP - not vulnerable - Image tags and the same CSP as above for double protection.
• Sanitised through Inkscape - vulnerable - This is a direct view but the file has been processed by the following command:
  

  inkscape --file="xss.svg" --verb="FileVacuum" --export-plain-svg="sanitised.svg"

  It was expected that this would remove the JavaScript but it did not.
• Image in an iframe - vulnerable - The SVG is loaded as the source for the iframe with no special attributes set.
• Image in a sandboxed iframe - not vulnerable - The SVG is loaded as the source for the iframe but the sandbox attribute is set to block scripts.

It has also been pointed out that if you need to allow untrusted SVG files to be served from your site that it is best to store and serve them from a different subdomain to prevent attacks against the main domain.

Lab created by Robin Wood - DigiNinja