Potential SVG Vulnerability

Hi.

I recently discovered an opportunity to address a potential security vulnerability.

We want to be able to use svg files uploaded to prismic inline so that we can style them with CSS.

But we also need to ensure the highest level of security is present for our users.

We are currently employing a custom script to clean the output of the uploaded SVG client-side. But it would be ideal to have the assurance that there are checks on the server side.

Alternatively, it would be excellent to be able to run custom scripts when media is uploaded - to optimize images, PDFs and the like. Then we would be empowered to clean the files ourselves.

So the risk is a client may hack their own website with SVG?

Hey Shawn,

Welcome to the community!

We already have an integration with imgix which optimises all your images automatically and might give you some of the functionality you described.

Just check out their docs to learn more.

Thanks.

@shawn.rice, as Phil mentioned, Prismic optimizes images automatically.

Regarding the risks of SVG files in general, Prismic doesn’t currently have an SVG tester. What I’d recommend you is that you first pass your file trough an SVG sanitizer before uploading it to Prismic. I have found an article online that may be useful for you: When a Stranger Calls: Sanitizing SVGs.

Thanks for the snappy response. I’ll chat with the content team and see if they are amicable to an extra step in the upload process.

Cheers.

1 Like