javascript: bypass via <svg> and use.

[mikewest]

A friendly, clever person submitted the following as a bypass of the javascript: URL handling in https://wicg.github.io/sanitizer-api/#handle-funky-elements:

<div id=div></div>
<script>
div.replaceChildren(
new Sanitizer({
    "allowElements":["svg","use"],
    "allowAttributes":{"xlink:href":["use"]}}
).sanitize(`<svg>
    <use xlink:href='data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="x" viewBox="0 0 100 50" width="100%" height="100%"><a href="javascript:alert(1)"><circle r="100" /></a></svg>#x'/>
</svg>`));
</script>

[mozfreddyb]

Thanks!
I know we don't handle non-HTML really well yet. Both in spec as well as in implementations. #72 talks some more about this.

[otherdaniel]

I know we don't handle non-HTML really well yet. Both in spec as well as in implementations. #72 talks some more about this.

Seconded. The spec still pretends that SVG doesn't exist, which opens up this hole.

The specific vector here seems to be <svg:use>, which I guess should be either baseline-forbidden, or get treatment similar to <template>.

[otherdaniel]

Meanwhile, the spec knows SVG exists, but we haven't agreed on a "baseline" config for it yet. We should close this bug once that is there.

If it matters, Chromium has a for-testing configuration supporting SVG & friends, which does not have <svg:use> in the baseline and thus unconditionally blocks it.

[annevk]

Do all implementations block data: URLs in svg:use these days? Does that open the door to allowing it?

(See also #103.)

[mozfreddyb]

with data: URLs being unsupported, the remaining XSS risks with <svg use> are URLs pointing to same-origin / same-document resources. Right?

[annevk]

What was the conclusion here and why? We should have something before we close an issue.

[mozfreddyb]

OK. <svg><use> is at this point similar in capabilities to an <iframe>, except that the included resources must be same-origin. We should make sure that we handle it the same way