The Woes of Sanitizing SVGs
6 hours ago
- #Web Development
- #SVG Security
- #Scratch Vulnerabilities
- Scratch has a history of SVG vulnerabilities due to parsing user-generated SVG content into the main document.
- Security fixes over the years include removing <script> tags, using DOMPurify, and addressing HTTP leaks via various methods like <image> href and CSS @import.
- Issues persist, such as XSS via Paper.js in 2024 and HTTP leaks via CSS url() and image-set(), with some vulnerabilities still unfixed.
- A 2026 full-page restyling vulnerability exploits long transitions to apply arbitrary styles globally, demonstrating ongoing risks.
- TurboWarp adopts a sandboxing approach using an iframe with a strict Content-Security-Policy to isolate SVGs and prevent exploits.
- Claude discovered a new HTTP leak in 2026 via CSS nesting relaxed syntax that bypasses sanitization due to css-tree parser limitations.