php-svg icon indicating copy to clipboard operation
php-svg copied to clipboard

Published 20 hours ago verified publisher icon meyfa

Security options

Open smnandre opened this issue 1 year ago • 5 comments

Do you have any plans concerning security? As i see it, there are two things i'd like to limit/control

  • distant files (with whitelist option or bool to forbid them entirely?)
  • scripts (imho should be filtered/removed per default)

Do you have any plan / vision on the matter? How would you handle those, can i help you and how?

smnandre avatar Mar 17 '24 17:03 smnandre

I agree that PHP-SVG is currently lacking in the security department. I think there are two different aspects here (please correct me if I misunderstood):

  1. security of running PHP-SVG on a server, i.e.: What can users do with the server when user input is passed to PHP-SVG? Can they cause a denial-of-service, for example?
  2. securing the output of PHP-SVG (which is likely what you mean with "security options"): This would be the ability to sanitize/restrict the output of PHP-SVG to avoid outputting certain things to browsers, which may cause them to make unwanted network requests, for example.

For (1.) we would need to audit the code for weaknesses in the implementation, create test cases, and implement fixes. Setting configurable limits e.g. for the size of embedded images would also be a possibility, along with additional input validation.

For (2.) we would need to design an API for sanitizing the output of PHP-SVG. Either we make it generic in some way, such that users can filter out anything they want easily, or we design it with specific options for each thing that someone may want to filter. In the latter case, we'd need a list of each such thing. You suggest distant files and scripts: Perhaps someone also wants to filter stylesheets, or fonts (perhaps every font, perhaps only external fonts), or embedded images (all of them or only some URLs?).

I don't have a plan right now. Anyone is welcome to suggest something to fit their use case, however :)

meyfa avatar Mar 28 '24 11:03 meyfa

Yep i was more thinking about the second one, but your 1 is very valid too. Did you look at the Sylmfony HtmlSanitizer source code ? I guess we could take inspiration there t create a SvgSanitizer ? (and -full disclosure- this would 100% be something i'd gladly use in UxIcons afterwards)

smnandre avatar Mar 29 '24 00:03 smnandre

@smnandre there is enshrined/svg-sanitize, unless you want to have additional libraries :)

norkunas avatar Mar 30 '24 16:03 norkunas

On this repo i don't want anything :)

I don't know enshrined/svg-sanitize i'll take a look thanks!

... and i'm not sure you'll often see me ask for aditional lirbaries .. as for me the perfect PR removes dependencies :)

smnandre avatar Mar 30 '24 17:03 smnandre

Yeah i also like less dependencies :D

norkunas avatar Mar 30 '24 18:03 norkunas