Move upload file filter to Rhymix Framework and add proper unit tests for SVG-based attacks

2026-05-08 19:42:15 +09:00 · 2018-10-18 14:34:19 +09:00 · 2018-10-18 14:34:19 +09:00 · e98cf03d95
commit e98cf03d95
parent af64ae79c1
6 changed files with 250 additions and 126 deletions
--- a/tests/_data/security/xss.svg
+++ b/tests/_data/security/xss.svg
@ -0,0 +1,8 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+  <script type="text/javascript">
+    alert('XSS');
+  </script>
+</svg>