Brion Vibber wrote:
Jens Frank wrote:
Since SVG allows the embedding of javascript, we should not deliver
SVG's
that were uploaded to our users, unless someone provides a reliable
javascript remover.
A checker for JavaScript was included in 1.5 branch a couple months
back. Of course another look over the code wouldn't hurt!
(We have for some time taken the precaution of serving uploads from a
separate subdomain, which should in most cases prevent attacks even if
they make it past upload filters; but it may not be complete
protection, particular for the sites on *.wikimedia.org domains where
there might be a session fixation attack.)
Just for completeness sake, we should block _all_ scripting languages if
we are not doing so already, as Microsoft browsers, I believe, can also
execute other scripting languages such as Visual Basic, and there are
moves to add support for other scripting languages besides JavaScript in
Mozilla / Firefox products soon.
-- Neil