Skip to content

bgalek/safe-svg

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

273 Commits
.github
.github
 
 
gradle
gradle
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
build.gradle.kts
build.gradle.kts
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle.kts
settings.gradle.kts
 
 

Repository files navigation

SVG SECURITY

Simple and lightweight library that helps to validate SVG files in security manners.

Build Codecov GitHub Release Date Maven Central Libraries.io dependency status for GitHub repo Quality Gate Status

It will help you in detecting malicious content inside uploaded SVGs.

Are you aware that SVG can cause XSS?

Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.

Example

Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are vulnerable to XSS attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>

Usage

Add library dependency:

implementation "com.github.bgalek.security.svg:safe-svg:1.2.0"

You can use this library to check uploaded svg files

SvgSecurityValidator svgSecurityValidator = SvgSecurityValidator.builder().build();
String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
                "<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
                "<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
                "<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
                "<script type=\"text/javascript\">\n" +
                "alert('Hello, world!');\n" +
                "</script>\n" +
                "</svg>";
        ValidationResult validation = svgSecurityValidator.validate(svg);
        if (validation.hasViolations()) {
            throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
        }

If you want to allow other (possibly non-safe) elements/attributes use

ValidationResult detect = SvgSecurityValidator.builder()
    .withAdditionalElements(elements)
    .withAdditionalAttributes(attributes)
    .build()
    .validate(testFile);

You can also enable strict XML syntax validation. The input is parsed with an XXE-hardened parser (external entities and DTDs are never resolved, entity expansion is disabled), and an InvalidXMLSyntaxException is thrown for malformed XML:

ValidationResult detect = SvgSecurityValidator.builder()
    .withSyntaxValidation()
    .build()
    .validate(testFile);

Both String and byte[] inputs are supported (byte[] is decoded as UTF-8).

About

Simple and lightweight library that helps to validate SVG files in security manners.

detektywi.it/2019/03/bezpieczny-svg/

Topics

svg security xss xss-detection hacktoberfest

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity

Stars

45 stars

Watchers

2 watching

Forks

9 forks
Report repository

Releases 11

v1.2.0 Latest
Jun 12, 2026
+ 10 releases

Contributors

Languages