[Clipart] Malware in clipart
andrew.archibald at sympatico.ca
Mon Mar 14 15:59:23 PST 2005
David Illsley wrote:
> The w3c have a recent habit of producing 'profiles' of their
> specifications, there's a possibility that they've done this for SVG and
> there is an appropriate profile (or that they might be making one). I
> don't know, do we have anyone who follows the w3c svg working group on
> the list?
> If there were then it would be much simpler to advertise that we accept
> 'SVG-safe' (or whatever) documents.
I do not follow the W3C working groups, but some cursory searches reveal no
sign of such a profile (although there is a profile called "SVG print").
I suggest as a first solution a simple program that grovels through the file
and just flags whether or not it contains any script. I do *not* suggest
grep-like tools; they can be foiled by various Unicode/SGML/XML hacks and are
not really appropriate. Besides it's *easier* to use a tool that respects the
XML structure (see http://en.wikipedia.org/wiki/User:Aarchiba/SVG_sanitizer for
my first attempt).
If we're willing to be a bit daring, all that is needed is a list of attributes
that are script-only (there is such a list on the SVG standard page). A
relatively simple script could then flag the presence of them or the script tag.
It might also be desirable to flag the presence of animation (which can be done
without scripting - SVG was designed to replace and extend Flash).
I also recommend running every file through an XML validator. It's needed to
make the above script even approach reliability, and it's a good idea to test
that the files are as well-behaved as possible. For this reason I also suggest
doing all the rendering of thumbnails on the server with inkscape, so that (a)
nobody can send deceptive thumbnails, and (b) it's immediately obvious when
rendering is non-portable (at least to inkscape on a different machine).
The embedding of non-SVG XML poses a problem for detecting scripting or other
quirks. It too can be flagged without too much trouble (I think).
More information about the clipart