[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Fri Jun 19 12:37:47 UTC 2015
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+-------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Upload | Version:
Severity: normal | Resolution: maybelater
Keywords: | Focuses:
---------------------------+-------------------------
Comment (by iandunn):
Replying to [comment:33 enshrined]:
> after seeing DOMPurify, I set about trying to duplicate it's
functionality in PHP
That looks like a great start. Kudos :)
I think one of the main reasons that DomPurify chose a client-side
approach, is that there's no good way for PHP to sanitize
[http://pastebin.com/rmbiqZgd concatenated strings that build a malicious
payload], etc, so I'm guessing you'll have to just completely gut anything
that could possibly embed JavaScript. [http://www.slideshare.net/x00mario
/the-image-that-called-me The Image That Called Me] has a run-down of a
lot of the vectors, but there may be more.
I'd recommend reaching out to Mario Heiderich for some advice, since he
could give you details on why they switched from a PHP approach to a
client-side one, among tons of other wisdom. I e-mailed him a couple weeks
back and he was very friendly and helpful. He's
[http://twitter.com/0x6D6172696F on Twitter] and his e-mail is in
[http://www.slideshare.net/x00mario this slide deck].
[https://www.ei.rub.de/media/hgi/veroeffentlichungen/2011/10/19
/svgSecurity-ccs11.pdf His paper on the topic] is also available if you're
looking for a little light reading ;)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list