[Clipart] Malware in clipart

[Andrew Archibald]

Jon Phillips wrote:

> So, I think we should strip out any javascript in submissions. First
> though, we need to think up how/where malware could be placed into our
> submissions? Maybe we shouldn't even allow for external links in SVG
> files we accept? We need to have a discussion about this.

I wrote a preliminary tool, only to realize that the task was much more 
complicated than I had thought.

My knowledge of SVG is limited to its use as a clipart-like format, so this is 
by no means definitive.  But there seem to be two places scripts can occur: 
<script> elements, and certain attributes of tags (onClick and suchlike). 
Removing the first is easy; removing the second requires knowing which 
attricutes are okay and which are not.

So I see two ways to write a sanitizer script:

1. Use an XML tool (I started with python-xml) to load the whole document into 
a DOM tree.  Read the spec and make a list of acceptable tags and attributes. 
The program then walks the tree and removes anything not on the list.

2. Use XSLT.  I don't even know what it stands for, let alone how to use it, 
but it seems to be designed for just this sort of operation.

Both ways will badly mangle any SVG designed to use scripts to display, but 
there's really no way around that.

Validating against a DTD is probably a good idea too, both before and after, in 
the interest of interoperability.  In fact, it might be possible to construct a 
restricted DTD for "SVG static" which we could then validate against as a check 
for the absence of scripts (and animation).

> Thanks Andrew for your post. I think we should look into this. Would you
> be interested in helping us develop a tool to check and strip possible
> malware from submissions?

I am interested, but my knowledge of XML and SVG is limited.

Andrew