📰 2026-04-28 00:30 更新
🔸 The Woes of Sanitizing SVGs / 消毒SVG的弊端
🔗 The Woes of Sanitizing SVGs
🔥 43 points
原文:
Scratch has a long history of SVG-related vulnerabilities. The source of these is that Scratch parses user-generated (ie. attacker-controlled) content into an <svg> element and appends it into the main document for various operations (eg. measuring SVG bounding box in a more reliable way than viewbox or width/height). No matter how briefly the SVG remains in the main document, this is an inherently unsafe operation. Scratch’s approach to making this safe has been to build increasingly c…
译文:
Scratch长期存在与SVG相关的漏洞。其来源是Scratch将用户生成的(即攻击者控制的)内容解析为< svg >元素,并将其附加到主文档中进行各种操作(例如,以比视框或宽度/高度更可靠的方式测量SVG边界框)。无论SVG在主文档中的保留时间多么短暂,这都是一种本质上不安全的操作。Scratch对待ma的方法 国王这个保险箱已经建造了越来越多的C…
自动更新 · 正文抓取 · 双语翻译