mirror of
https://github.com/imgproxy/imgproxy.git
synced 2025-01-03 10:43:58 +02:00
Remove all known unsafe attrs from SVG during sanitization; Add Content-Security-Policy header to response
This commit is contained in:
DarthSim
parent
f89ced23e4
commit
bbb6a3335d
@ -128,6 +128,8 @@ func respondWithImage(reqID string, r *http.Request, rw http.ResponseWriter, sta
|
|||||||
rw.Header().Set("X-Result-Height", resultData.Headers["X-Result-Height"])
|
rw.Header().Set("X-Result-Height", resultData.Headers["X-Result-Height"])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rw.Header().Set("Content-Security-Policy", "script-src 'none'")
|
||||||
|
|
||||||
rw.Header().Set("Content-Length", strconv.Itoa(len(resultData.Data)))
|
rw.Header().Set("Content-Length", strconv.Itoa(len(resultData.Data)))
|
||||||
rw.WriteHeader(statusCode)
|
rw.WriteHeader(statusCode)
|
||||||
rw.Write(resultData.Data)
|
rw.Write(resultData.Data)
|
||||||
|
|||||||
@ -73,7 +73,7 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
|
|||||||
}
|
}
|
||||||
buf.Write(tdata)
|
buf.Write(tdata)
|
||||||
case xml.AttributeToken:
|
case xml.AttributeToken:
|
||||||
if strings.ToLower(string(l.Text())) == "onload" {
|
if _, unsafe := unsafeAttrs[strings.ToLower(string(l.Text()))]; unsafe {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
buf.Write(tdata)
|
buf.Write(tdata)
|
||||||
|
|||||||
114
svg/unsafe_attrs.go
Normal file
114
svg/unsafe_attrs.go
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
package svg
|
||||||
|
|
||||||
|
var unsafeAttrs = map[string]struct{}{
|
||||||
|
"onafterprint": {},
|
||||||
|
"onafterscriptexecute": {},
|
||||||
|
"onanimationcancel": {},
|
||||||
|
"onanimationend": {},
|
||||||
|
"onanimationiteration": {},
|
||||||
|
"onanimationstart": {},
|
||||||
|
"onauxclick": {},
|
||||||
|
"onbeforecopy": {},
|
||||||
|
"onbeforecut": {},
|
||||||
|
"onbeforeinput": {},
|
||||||
|
"onbeforeprint": {},
|
||||||
|
"onbeforescriptexecute": {},
|
||||||
|
"onbeforeunload": {},
|
||||||
|
"onbegin": {},
|
||||||
|
"onblur": {},
|
||||||
|
"onbounce": {},
|
||||||
|
"oncanplay": {},
|
||||||
|
"oncanplaythrough": {},
|
||||||
|
"onchange": {},
|
||||||
|
"onclick": {},
|
||||||
|
"onclose": {},
|
||||||
|
"oncontextmenu": {},
|
||||||
|
"oncopy": {},
|
||||||
|
"oncuechange": {},
|
||||||
|
"oncut": {},
|
||||||
|
"ondblclick": {},
|
||||||
|
"ondrag": {},
|
||||||
|
"ondragend": {},
|
||||||
|
"ondragenter": {},
|
||||||
|
"ondragleave": {},
|
||||||
|
"ondragover": {},
|
||||||
|
"ondragstart": {},
|
||||||
|
"ondrop": {},
|
||||||
|
"ondurationchange": {},
|
||||||
|
"onend": {},
|
||||||
|
"onended": {},
|
||||||
|
"onerror": {},
|
||||||
|
"onfinish": {},
|
||||||
|
"onfocus": {},
|
||||||
|
"onfocusin": {},
|
||||||
|
"onfocusout": {},
|
||||||
|
"onfullscreenchange": {},
|
||||||
|
"onhashchange": {},
|
||||||
|
"oninput": {},
|
||||||
|
"oninvalid": {},
|
||||||
|
"onkeydown": {},
|
||||||
|
"onkeypress": {},
|
||||||
|
"onkeyup": {},
|
||||||
|
"onload": {},
|
||||||
|
"onloadeddata": {},
|
||||||
|
"onloadedmetadata": {},
|
||||||
|
"onloadend": {},
|
||||||
|
"onloadstart": {},
|
||||||
|
"onmessage": {},
|
||||||
|
"onmousedown": {},
|
||||||
|
"onmouseenter": {},
|
||||||
|
"onmouseleave": {},
|
||||||
|
"onmousemove": {},
|
||||||
|
"onmouseout": {},
|
||||||
|
"onmouseover": {},
|
||||||
|
"onmouseup": {},
|
||||||
|
"onmousewheel": {},
|
||||||
|
"onmozfullscreenchange": {},
|
||||||
|
"onpagehide": {},
|
||||||
|
"onpageshow": {},
|
||||||
|
"onpaste": {},
|
||||||
|
"onpause": {},
|
||||||
|
"onplay": {},
|
||||||
|
"onplaying": {},
|
||||||
|
"onpointerdown": {},
|
||||||
|
"onpointerenter": {},
|
||||||
|
"onpointerleave": {},
|
||||||
|
"onpointermove": {},
|
||||||
|
"onpointerout": {},
|
||||||
|
"onpointerover": {},
|
||||||
|
"onpointerrawupdate": {},
|
||||||
|
"onpointerup": {},
|
||||||
|
"onpopstate": {},
|
||||||
|
"onprogress": {},
|
||||||
|
"onratechange": {},
|
||||||
|
"onrepeat": {},
|
||||||
|
"onreset": {},
|
||||||
|
"onresize": {},
|
||||||
|
"onscroll": {},
|
||||||
|
"onsearch": {},
|
||||||
|
"onseeked": {},
|
||||||
|
"onseeking": {},
|
||||||
|
"onselect": {},
|
||||||
|
"onselectionchange": {},
|
||||||
|
"onselectstart": {},
|
||||||
|
"onshow": {},
|
||||||
|
"onstart": {},
|
||||||
|
"onsubmit": {},
|
||||||
|
"ontimeupdate": {},
|
||||||
|
"ontoggle": {},
|
||||||
|
"ontouchend": {},
|
||||||
|
"ontouchmove": {},
|
||||||
|
"ontouchstart": {},
|
||||||
|
"ontransitioncancel": {},
|
||||||
|
"ontransitionend": {},
|
||||||
|
"ontransitionrun": {},
|
||||||
|
"ontransitionstart": {},
|
||||||
|
"onunhandledrejection": {},
|
||||||
|
"onunload": {},
|
||||||
|
"onvolumechange": {},
|
||||||
|
"onwebkitanimationend": {},
|
||||||
|
"onwebkitanimationiteration": {},
|
||||||
|
"onwebkitanimationstart": {},
|
||||||
|
"onwebkittransitionend": {},
|
||||||
|
"onwheel": {},
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user