←back to thread

525 points cantdutchthis | 1 comments | | HN request time: 0.209s | source
Show context
xml ◴[] No.44502333[source]
A word of caution: There are SVGs which can freeze a page, so make sure that you do not link to any third party SVGs. This is a known bug, but both the Google Chrome and Mozilla team do not want to fix it.

Here is an evil example SVG for demonstration.

DON'T CLICK THIS LINK UNLESS YOU WANT TO RISK CRASHING YOUR BROWSER!

https://asdf10.com/danger.svg

replies(2): >>44502579 #>>44504026 #
pcthrowaway ◴[] No.44504026[source]
Wait so are recursive XXE attacks like (I'm assuming) this one possible on Github READMEs? Or have they somehow mitigated them?
replies(2): >>44506359 #>>44508031 #
1. hashstring ◴[] No.44506359[source]
I think external entities can be disabled completely right, but who knows, it may pay off to check out what GH did here :)