[Clipart] Malware in clipart

Andrew Archibald andrew.archibald at sympatico.ca
Mon Mar 14 15:59:23 PST 2005

David Illsley wrote:
 > The w3c have a recent habit of producing 'profiles' of their
 > specifications, there's a possibility that they've done this for SVG and
 > there is an appropriate profile (or that they might be making one). I
 > don't know, do we have anyone who follows the w3c svg working group on
 > the list?
 > If there were then it would be much simpler to advertise that we accept
 > 'SVG-safe' (or whatever) documents.
 > David

I do not follow the W3C working groups, but some cursory searches reveal no 
sign of such a profile (although there is a profile called "SVG print").

I suggest as a first solution a simple program that grovels through the file 
and just flags whether or not it contains any script.  I do *not* suggest 
grep-like tools; they can be foiled by various Unicode/SGML/XML hacks and are 
not really appropriate.  Besides it's *easier* to use a tool that respects the 
XML structure (see http://en.wikipedia.org/wiki/User:Aarchiba/SVG_sanitizer for 
my first attempt).

If we're willing to be a bit daring, all that is needed is a list of attributes 
that are script-only (there is such a list on the SVG standard page).  A 
relatively simple script could then flag the presence of them or the script tag.

It might also be desirable to flag the presence of animation (which can be done 
  without scripting - SVG was designed to replace and extend Flash).

I also recommend running every file through an XML validator.  It's needed to 
make the above script even approach reliability, and it's a good idea to test 
that the files are as well-behaved as possible.  For this reason I also suggest 
doing all the rendering of thumbnails on the server with inkscape, so that (a) 
nobody can send deceptive thumbnails, and (b) it's immediately obvious when 
rendering is non-portable (at least to inkscape on a different machine).

The embedding of non-SVG XML poses a problem for detecting scripting or other 
quirks.  It too can be flagged without too much trouble (I think).


More information about the clipart mailing list