zhanshi/goldmark
1
0
Fork 0
mirror of https://github.com/yuin/goldmark synced 2025-03-04 23:04:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

renderer: image/svg is also safe

Browse source 
When used in an image context, SVG cannot execute scripts, be styled
or fetch additional resources. So, they are as safe as other formats.

When used in a `<a>` tag, it could starts executing JS, but only in
its own context, so it shouldn't be dangerous either.

This raises the question on which image format is dangerous.
This commit is contained in:
Vincent Bernat 2022-04-03 23:29:34 +02:00
parent e29c1a5dfa
commit fc877ab357
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
renderer/html/html.go
View file

@ -819,6 +819,7 @@ var bPng = []byte("png;")
var bGif = []byte("gif;")
var bJpeg = []byte("jpeg;")
var bWebp = []byte("webp;")
var bSvg = []byte("svg;")
var bJs = []byte("javascript:")
var bVb = []byte("vbscript:")
var bFile = []byte("file:")
@ -830,7 +831,8 @@ func IsDangerousURL(url []byte) bool {
if bytes.HasPrefix(url, bDataImage) && len(url) >= 11 {
v := url[11:]
if bytes.HasPrefix(v, bPng) || bytes.HasPrefix(v, bGif) ||
bytes.HasPrefix(v, bJpeg) || bytes.HasPrefix(v, bWebp) {
bytes.HasPrefix(v, bJpeg) || bytes.HasPrefix(v, bWebp) ||
bytes.HasPrefix(v, bSvg) {
return false
}
return true