|
|
Subscribe / Log in / New account

Script inside SVG?

Script inside SVG?

Posted Apr 17, 2025 6:41 UTC (Thu) by epa (subscriber, #39769)
In reply to: Script inside SVG? by excors
Parent article: Catanzaro: Dangerous arbitrary file read vulnerability in Yelp

In my view copying HTML verbatim should not be dangerous *in a help browser*. Whatever it does with the HTML should involve displaying it, not executing any scripts.

It can check the HTML too, making sure it doesn't have <script> elements, to present a useful error message -- but that shouldn't be the only defence. The writeup notes: "Simply appending a script tag or a malicious on* attribute in the input XML document won't work since handling these tags is not defined in the yelp-xsl app." Which is great, but an oversight in the XSL processing shouldn't open the door to arbitrary scripting.

I think WebKitGtk needs a mode without any JavaScript support, and this should even be the default (since there are hundreds of little programs that just want to display some HTML in their splash screen or help text with a few lines of code, while writing a web browser is a less common task).

to post comments

SVG mode needs to be SVG Tiny Portable/Secure

Posted Apr 17, 2025 9:35 UTC (Thu) by johnjones (guest, #5462) [Link]

the whole point is you can have a logo or drawing to explain but you dont need scripts and

https://datatracker.ietf.org/doc/html/draft-svg-tiny-ps-a...

JJ

Script inside SVG?

Posted Apr 17, 2025 9:40 UTC (Thu) by excors (subscriber, #95769) [Link] (4 responses)

One comment in the bug report says "We do use JavaScript in the HTML output for things like expandable sections. Disabling all JavaScript would break numerous features". It also uses MathJax for MathML rendering; apparently WebKit has reasonable native support for MathML nowadays, but not back in 2012 when Yelp added it. And it looks like there's highlight.js for syntax highlighting.

If WebKitGTK had a no-scripting mode, Yelp would probably have disabled that mode because scripting is very useful.

Script inside SVG?

Posted Apr 17, 2025 10:51 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

I wonder about a mode that lets pages load external Javascript from a single, fixed directory, but forbids or severely restricts inline <script> elements.

Script inside SVG?

Posted Apr 17, 2025 12:13 UTC (Thu) by excors (subscriber, #95769) [Link]

Sounds like you want Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP), where a page's HTTP header or <meta> element can restrict the page to only load scripts from a specific origin (domain), disable inline scripts and event handlers, only allow scripts with specific hashes, only allow <script>s with a server-generated nonce (which is what the Yelp patch does), etc.

It's explicitly "not intended as a first line of defense against content injection vulnerabilities" but it "reduces the harm that a malicious injection can cause" (https://www.w3.org/TR/CSP3/)

Script inside SVG?

Posted Apr 21, 2025 23:55 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

You don't need JavaScript for expandable sections, that's just <details>. You probably do need some JavaScript for other forms of basic DOM manipulation (like syntax highlighting), but you almost certainly do not need it to have internet access (we're displaying help files from the local system, not the internet). The "obvious" solution is to dump Yelp inside of a Flatpak (or any Flatpak-like thing, like a Nix container, a Docker image, etc.), turn off its internet access, and call it a day. But that would be unacceptable to every distro that packages GNOME, so it will probably not be done as the official upstream fix (as entertaining as it might be to watch 50 different distros grapple with "you can't un-Flatpak it for security reasons" versus "you can't keep it in a Flatpak because Flatpak is evil").

I imagine there might be some cases where you try to load a Yelp document over HTTP(S) for legitimate reasons (e.g. because the help file is not installed locally), but I really hope that is not the case because Yelp is unmaintained (per the bug tracker) and should not be dealing with untrusted content from the internet. If they are not already planning to remove its internet capabilities outright, they should do that now.

Script inside SVG?

Posted Apr 23, 2025 6:20 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

AFAIK, WebKitGTK does support disabling JS: https://github.com/uzbl/uzbl/blob/master/src/variables.c#...

Script inside SVG?

Posted Apr 17, 2025 13:18 UTC (Thu) by mcatanzaro (subscriber, #93033) [Link]

There are two options to disable JavaScript: WebKitSettings:enable-javascript, which is a heavy hammer to turn it off completely, which applications often cannot use because they generally need to be able to run their own JavaScript, and also WebKitSettings:enable-javascript-markup, which disables all JavaScript embedded in documents but still allows applications to execute JavaScript themselves. WebKitSettings:enable-javascript-markup is generally what you want.

However, it seems Yelp does need to allow documents to execute certain approved scripts, so I guess it can't use either of these.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds