Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pensar - auto fix for Dangerous SVG Rendering Enables Cross-Site Scripting #10

Open
wants to merge 1 commit into
base: canary
Choose a base branch
from
Open

Pensar - auto fix for Dangerous SVG Rendering Enables Cross-Site Scripting #10

wants to merge 1 commit into from

Conversation

pensarapp[bot]
Copy link

@pensarapp pensarapp bot commented Apr 1, 2025

Secured with Pensar

Fixed a Cross-Site Scripting (XSS) vulnerability in the Next.js image configuration:

  1. Removed the dangerouslyAllowSVG: true setting which was disabling SVG sanitization. This setting was dangerous because it allowed SVG files to be rendered without proper sanitization, potentially executing malicious JavaScript embedded in SVG files.

  2. Added a Content Security Policy specifically for the Next.js image optimization with contentSecurityPolicy: "default-src 'self'; script-src 'none'; sandbox;" that:

    • Restricts resources to same origin (default-src 'self')
    • Prevents any script execution (script-src 'none')
    • Applies sandbox restrictions to further limit capabilities

This fix ensures that SVG files will now be properly sanitized before rendering, preventing potential execution of malicious scripts embedded in SVG content. This is particularly important in a CMS context where users can upload their own content.

More Details
Type Identifier Message Severity Link
Application CWE-79 The configuration enables 'dangerouslyAllowSVG', which permits SVG images to be rendered without being sanitized. Since SVG files can contain embedded scripts or malicious code, this can lead to cross-site scripting (XSS) vulnerabilities if untrusted SVG content is allowed. In a content management system like SimplCMS, where media is uploaded by users or integrated via third-party services, this setting increases the risk of exploiting XSS vulnerabilities (CWE-79).

Context Analysis:
- Trust Boundaries: Client-side (untrusted) interactions with media content. If user-supplied SVG files are not sanitized, they can bypass security mechanisms and execute malicious scripts in the browser.
- Data Flow Analysis: The configuration setting directly impacts how SVG files are handled when they cross from external sources into the client context.
- Security Contexts: Client-side rendering allows untrusted external SVG content to be processed unsanitized.

In this context, using this configuration setting is a true positive vulnerability since enabling dangerous SVG rendering without proper validation poses significant risk.		 high Link

@vercel Vercel
Copy link

vercel bot commented Apr 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
simpl-cms-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 1, 2025 7:19am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants