svg-cheatsheet icon indicating copy to clipboard operation
svg-cheatsheet copied to clipboard

Published 20 hours ago verified publisher icon allanlw

added 'text:' image format specifier

Open l4yton opened this issue 5 years ago • 2 comments
trafficstars

l4yton avatar Jul 01 '20 08:07 l4yton

That's insane! Awesome, thank you!

There's a typo in your example, but this one worked for me with convert test.svg test.png:

<svg width="800" height="800">
  <image width="800" height="800" href="text:/etc/passwd"/>
</svg>

I guess I put a note at the top that says:

All of these methods specify a URI, which can be absolute or relative. File and HTTP protocol are important to test, but it could also support other protocols depending on the implementation (e.g. PHP stream schemes), including javascript: and data:.

But perhaps it'd be better to have a section for schemes like this, especially because ImageMagick seems much more relevant than PHP stuff.

allanlw avatar Jul 01 '20 12:07 allanlw

I guess putting the note on top would make sense, but I'm not sure about having an extra section for this. I've only found text: to be a useful scheme in exploitation and being SVG/ImageMagick specific. If there are more, I guess it would make sense though.

l4yton avatar Jul 02 '20 10:07 l4yton