Simple and lightweight library that helps to validate SVG files in security manners.
It will help you in detecting malicious content inside uploaded SVGs.
Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.
Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are vulnerable to XSS attack.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>Add library dependency:
compile "com.github.bgalek.security.svg:safe-svg:1.1.4"You can use this library to check uploaded svg files
SvgSecurityValidator svgSecurityValidator = SvgSecurityValidator.builder().build();
String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
"<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
"<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
"<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
"<script type=\"text/javascript\">\n" +
"alert('Hello, world!');\n" +
"</script>\n" +
"</svg>";
ValidationResult validation = svgSecurityValidator.validate(svg);
if (validation.hasViolations()) {
throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
}If you want to allow other (possibly non-safe) elements/attributes use
ValidationResult detect = SvgSecurityValidator.builder()
.withAdditionalElements(elements)
.withAdditionalAttributes(attributes)
.build()
.validate(testFile);