Brion Vibber wrote:
Jens Frank wrote:
Since SVG allows the embedding of javascript, we should not deliver SVG's that were uploaded to our users, unless someone provides a reliable javascript remover.
A checker for JavaScript was included in 1.5 branch a couple months back. Of course another look over the code wouldn't hurt!
(We have for some time taken the precaution of serving uploads from a separate subdomain, which should in most cases prevent attacks even if they make it past upload filters; but it may not be complete protection, particular for the sites on *.wikimedia.org domains where there might be a session fixation attack.)
Just for completeness sake, we should block _all_ scripting languages if we are not doing so already, as Microsoft browsers, I believe, can also execute other scripting languages such as Visual Basic, and there are moves to add support for other scripting languages besides JavaScript in Mozilla / Firefox products soon.
-- Neil