Skip to content

[Codex] fix(frontend): sanitize inline SVG icon content before v-html render#557

Merged
abeggled merged 8 commits into
abeggled:mainfrom
Micsi:codex/propose-fix-for-stored-xss-in-svg-icons
May 29, 2026
Merged

[Codex] fix(frontend): sanitize inline SVG icon content before v-html render#557
abeggled merged 8 commits into
abeggled:mainfrom
Micsi:codex/propose-fix-for-stored-xss-in-svg-icons

Conversation

@Micsi
Copy link
Copy Markdown
Collaborator

@Micsi Micsi commented May 26, 2026
edited
Loading

Upstream Tracking

Motivation

  • The frontend previously injected stored SVG icon content into the DOM using v-html without sanitization, which creates a stored XSS vector when authenticated users upload crafted SVGs and nodes reference them via svg:{name}.
  • The fix centralizes sanitization at the icon normalization boundary so icon content is safe before it is cached and rendered by VisuIcon while preserving existing UI behavior.

Description

  • Updated normalizeSvg in frontend/src/composables/useIcons.ts to parse SVG with DOMParser and return an empty string for non-<svg> roots.
  • Removed executable/embeddable elements from the parsed SVG (script, foreignObject, iframe, object, embed, audio, video) before returning content.
  • Stripped inline event-handler attributes (names starting with on) and removed dangerous URL-bearing attributes (href, xlink:href, src) when they use javascript:, data:, or external http(s) schemes, and preserved the prior root width/height stripping logic so CSS sizing remains unchanged.
  • Left existing call sites (VisuIcon, VisuTree, NodeOverview, Breadcrumb) untouched and perform sanitization centrally in the icons composable.

Testing

  • Ran the frontend typecheck successfully with cd frontend && npm run typecheck and the command completed without errors.

Codex Task

@Micsi Micsi requested a review from abeggled May 26, 2026 07:08
@Micsi Micsi self-assigned this May 26, 2026
@Micsi Micsi added the Security Security-related changes label May 26, 2026
@Micsi Micsi mentioned this pull request May 26, 2026
Open
@Micsi
Copy link
Copy Markdown
Collaborator Author

Micsi commented May 26, 2026

🔄 Promotion-Update aus dem Fork

Diese Upstream-PR wurde in dieser Session mit dem Stand aus Micsi#44 synchronisiert.

Vorgenommene Änderungen

  • Beschreibung synchronisiert
  • Assignee gesetzt/ergänzt: @Micsi
  • Reviewer angefragt: @abeggled

Aktueller Commit-Stand aus dem Fork

  • fix(frontend): sanitize inline svg icons before rendering
  • docs(release): note SVG sanitization fix in release notes
  • fix(frontend): harden SVG sanitizer against root/URL bypasses

Bitte den aktualisierten Stand für das Review verwenden.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026

Codecov Report

❌ Patch coverage is 27.27273% with 8 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
obs/config.py 27.27% 8 Missing ⚠️

📢 Thoughts on this report? Let us know!

@abeggled abeggled merged commit 8a64674 into abeggled:main May 29, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abeggled abeggled Awaiting requested review from abeggled

Assignees

@Micsi Micsi

Labels

Security Security-related changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Micsi @abeggled