Skip to content

fix(sanitize): prevent XSS via SVG animate values attribute #776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
beliarh wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(sanitize): prevent XSS via SVG animate values attribute #776

beliarh wants to merge 1 commit into from

Conversation

@beliarh
Copy link

@beliarh beliarh commented Oct 18, 2025

Found that values attribute in SVG <animate> tags wasn't being checked for dangerous URL schemes like javascript: or data:. This could be exploited like this:

<svg>
  <animate xlink:href="#xss" attributeName="href" values="javascript:alert(1)" />
  <a id="xss"><text>Click</text></a>
</svg>

The issue is that allowedSchemesAppliedToAttributes already has from and to for animate elements, but values was missing.

Changes

Added values to the list of attributes that get validated.
Now it works the same way as href, from, and to - extracts the scheme and blocks if it's not in the whitelist.
Regular animation values like "0;1;0" or "red;green;blue" work fine since they don't have a scheme prefix.
Only stuff like javascript:, data:, vbscript: gets filtered out.

Tests

Added two test cases to xss.test.ts - one with javascript: and one with data: scheme.
Both get properly sanitized now (the values attribute is removed from the output).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@beliarh