Mario Heiderich did a lot of research on that, he found so many bugs that allowed to embed Javascript in SVG images.
Nice stuff Nick btw, Cheers antisnatchor On Wed, May 16, 2012 at 10:13 AM, Dan Kaminsky <d...@doxpara.com> wrote: > Yeah, there's a bunch of wild stuff in SVG. The browsers ignore most of it, > AFAIK. I think Firefox is the only browser to even consider ForeignObjects > (which let you throw HTML back into SVG). > > Probably the most interesting SVG thing is how they either do or don't have > script access, depending on whether or not they're loaded as <img>'s. It > would be problematic indeed if <img src="foo.jpg"> could suddenly render > script! > > > On Tue, May 15, 2012 at 5:07 AM, Nicolas Grégoire > <nicolas.grego...@agarri.fr> wrote: >> >> Hello, >> >> SVG is a XML-based file format for static or animated images. Some SVG >> specifications (like SVG 1.1 and SVG Tiny 1.2) allow to trigger some >> Java code when the SVG file is opened. >> >> Given that I had to look at these features for a customer, I developed >> some PoC codes which are now available online: >> http://www.agarri.fr/docs/batik-evil.svg >> http://www.agarri.fr/docs/batik-evil.jar >> >> I published a more detailed article on my blog: >> http://www.agarri.fr/blog/ >> >> Regards, >> Nicolas Grégoire / @Agarri_FR >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/