Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader

SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

SVG Loader 跨站脚本漏洞

SVG Loader是一个简单的 JS 库，它使用 XHR 获取 SVG 并将 SVG 代码注入到标签的位置。 SVG Loader 1.6.8版本及之前版本存在跨站脚本漏洞，该漏洞源于输入清理逻辑不够，可以轻松绕过。

N/A

N/A