[Clipart] Malware in clipart

Stephen Silver ocalocal at btinternet.com
Tue Mar 15 06:06:03 PST 2005


Jonadab wrote:

> > As far as I can tell, any SVG file with a script element must
> > contain "<script" or ":script" (or maybe ";script").  
> 
> They could not contain scripts in attributes, such as onclick,
> onmouseover, onmouseout, onmousedown, onmouseup, onfocus, onblur,
> onrollover, onload, onunload, et cetera, ad infinitum, ad bedlam?

Yes, I forgot that the scripts could be entirely contained in
attributes.  There are 19 such attributes listed in the SVG spec.
I checked yesterday that none of these attributes are used in SVG
files in the current release.  As before, this check was done
with grep, so it depends on the files being in UTF-8 (and Andrew
Archibald says that they can be hidden from grep anyway - I would
be interested to see how this can be done).

-- 
Stephen Silver




More information about the clipart mailing list