[Clipart] Malware in clipart
david at illsley.org
Mon Mar 14 09:05:06 PST 2005
The w3c have a recent habit of producing 'profiles' of their
specifications, there's a possibility that they've done this for SVG
and there is an appropriate profile (or that they might be making one).
I don't know, do we have anyone who follows the w3c svg working group
on the list?
If there were then it would be much simpler to advertise that we accept
'SVG-safe' (or whatever) documents.
On 14 Mar 2005, at 16:49, Andrew Archibald wrote:
> Jon Phillips wrote:
>> though, we need to think up how/where malware could be placed into our
>> submissions? Maybe we shouldn't even allow for external links in SVG
>> files we accept? We need to have a discussion about this.
> I wrote a preliminary tool, only to realize that the task was much
> more complicated than I had thought.
> My knowledge of SVG is limited to its use as a clipart-like format, so
> this is by no means definitive. But there seem to be two places
> scripts can occur: <script> elements, and certain attributes of tags
> (onClick and suchlike). Removing the first is easy; removing the
> second requires knowing which attricutes are okay and which are not.
> So I see two ways to write a sanitizer script:
> 1. Use an XML tool (I started with python-xml) to load the whole
> document into a DOM tree. Read the spec and make a list of acceptable
> tags and attributes. The program then walks the tree and removes
> anything not on the list.
> 2. Use XSLT. I don't even know what it stands for, let alone how to
> use it, but it seems to be designed for just this sort of operation.
> Both ways will badly mangle any SVG designed to use scripts to
> display, but there's really no way around that.
> Validating against a DTD is probably a good idea too, both before and
> after, in the interest of interoperability. In fact, it might be
> possible to construct a restricted DTD for "SVG static" which we could
> then validate against as a check for the absence of scripts (and
>> Thanks Andrew for your post. I think we should look into this. Would
>> be interested in helping us develop a tool to check and strip possible
>> malware from submissions?
> I am interested, but my knowledge of XML and SVG is limited.
> clipart mailing list
> clipart at lists.freedesktop.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3251 bytes
Desc: not available
More information about the clipart