[Clipart] Malware in clipart

[Stephen Silver]

Jon Phillips wrote:

> We are interested in CLIP ART, and hence we would not need any
> javascript in our files.

I'm not quite so sure about this.  For example, a clock image
could use scripting to allow the user to set the time to whatever
they want.  This is preferable to uploading at least 720 different
images (one for each minute on a 12-hour clock).

> So, I think we should strip out any javascript in submissions.

I would rather not have something that attempts to make non-trivial
edits to SVG files, as we are currently breaking files by doing this
sort of thing.  (E.g., look at state_of_michigan_kevin__01.svg in the
incoming folder - there have been similar broken files in the past,
and I think it's caused by something in the upload process getting
confused about multiple metadata elements in the uploaded file.)

Easier for now would be to detect files that contain possible script
elements, and keep them out of the collection until someone has checked
that they are safe.  As far as I can tell, any SVG file with a script
element must contain "<script" or ":script" (or maybe ";script").
There are no SVG files containing any of these strings in the current
release, unless they're not in UTF-8.

I haven't really thought about what should be done with external
references.

-- 
Stephen Silver