XSS code injection in online editor

[carlesreig]

XML/SVG web editor is vulnerable to XSS injection code.
For example, editing sample SVG image found at https://editsvgcode.com/ with this code;

<!-- sample rectangle -->
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(1)">
  <rect width="100" height="100" x="50" y="50" fill="red" />
  </a>
</svg>

In this example we just got a javascript alert, but could be cookie info, redirections to malicious/phishing sites...

[nbelyh]

@carlesreig I think you are mistaking here.

Have you tried to insert your code on the site, to see if you can actually get a message box (your script executed)?
When the site inserts a rendered HTML fragment programmatically to preview, it is using elem.innerHTML = 'something',
the scripts inside that HTML/SVG are not executed. So for the site itself, it is harmless.
It does not use eval so whatever scripts you put in the SVG text, they will just not run (on the site)
Preview is rendered always on the client (inserted using innerHtml), so the user code will not be executed if the user navigates to the site using saved snippet url as well.

Or do you mean that you can insert JavaScript <script> tag in the SVG text when editing it?
Yes, the editor does not prevent that, this is intentional.
This site allows you to edit any SVG text, what is the content of the text is completely up to the user.

BTW there is also no login as of now (so there are no login cookies).
Regarding the redirection, you can redirect to a phishing site only yourself basically, not the other people...

Or do you meant that a malicious person can use the editor to create malicious files?
Well, such a person can use a notepad as well, or any other text editor.

Am I missing the point? Could you explain what you mean?