(koaning.io)

519 points cantdutchthis | 1 comments | 08 Jul 25 08:23 UTC | HN request time: 0.211s | source

Show context

xml ◴[08 Jul 25 17:49 UTC] No.44502333[source]▶

A word of caution: There are SVGs which can freeze a page, so make sure that you do not link to any third party SVGs. This is a known bug, but both the Google Chrome and Mozilla team do not want to fix it.

Here is an evil example SVG for demonstration.

DON'T CLICK THIS LINK UNLESS YOU WANT TO RISK CRASHING YOUR BROWSER!

https://asdf10.com/danger.svg

replies(2): >>44502579 #>>44504026 #

pcthrowaway ◴[08 Jul 25 20:58 UTC] No.44504026[source]▶

>>44502333 #

Wait so are recursive XXE attacks like (I'm assuming) this one possible on Github READMEs? Or have they somehow mitigated them?

replies(2): >>44506359 #>>44508031 #

1. hashstring ◴[09 Jul 25 04:29 UTC] No.44506359[source]▶

>>44504026 #

I think external entities can be disabled completely right, but who knows, it may pay off to check out what GH did here :)

↑

SVGs that feel like GIFs