svg – WindowsTechs.com

CSP, inline SVG, and XML attributes

Posted on September 17, 2024 by janeden

I recently added some inline SVG images to my website, and the browsers complained about the style attributes within the SVG code not being covered by my strict CSP (style-src: self). Instead of adding unsafe-inline to the CSP or moving al… Continue reading CSP, inline SVG, and XML attributes→

SVG XSS – When script tag and on* attributes are filtered

Posted on June 15, 2024 by paj28

I’m looking at an XSS lab that has the tags: script, iframe, object and embed filtered, and all on* attributes are filtered. However, svg is allowed.
Is this exploitable, with no user interaction required? I’m sure I’ve seen other ways to … Continue reading SVG XSS – When script tag and on* attributes are filtered→

SOP (Same Origin Policy) and CDN SVG XSS

Posted on December 16, 2023 by anonmer

If an SVG file with an XSS payload is hosted on say cdn.example.com and is loaded as a display picture on say mainprod.com, can the XSS payload within the SVG file access and steal cookies from mainprod.com despite the Same-Origin Policy (… Continue reading SOP (Same Origin Policy) and CDN SVG XSS→

Thin Keyboard Fits in Steam Deck Case

Posted on September 6, 2023 by Bryan Cockfield

Although some of the first Android-powered smartphones had them and Blackberries were famous for them, physical keyboards on portable electronics like that quickly became a thing of the past. Presumably …read more Continue reading Thin Keyboard Fits in Steam Deck Case→

AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs

Posted on June 6, 2023 by Waqas

By Deeba Ahmed
Undetected for Over 11 Months, AsyncRAT Lurked on Systems of Sensitive US Agencies with Critical Infrastructures, reports the…
This is a post from HackRead.com Read the original post: AsyncRAT Infiltrates Key US Infrastructure Thro… Continue reading AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs→

Jolly Wrencher SAO, And How KiCad 6 Made It Easy

Posted on October 11, 2022 by Arya Voronova

front and back of the Jolly Wrencher SAO

If you plan to attend Supercon or some other hacker conference, know that you’re going to get a badge with a SAO (Simple Add-On) connector, a 4-pin or 6-pin connector …read more Continue reading Jolly Wrencher SAO, And How KiCad 6 Made It Easy→

Upscaling The Sierras

Posted on June 13, 2022 by Matthew Carlson

side by side of upscaling in the AGI engine

If you played many games back in the mid-80s to 90s, you might remember the iconic graphics from Sierra’s Online Adventure Games. They were brightly colored (16 colors) and dynamic …read more Continue reading Upscaling The Sierras→

Is it practically possible to use SVGs to their full potential while still enjoying all protections offered by Content Security Policy (CSP)?

Posted on May 30, 2022 by gaazkam

My understanding is that:

SVGs offer far greater functionality if they are directly embedded in a site’s HTML code via the <svg> tag than if they are linked to via the <img> tag

For example, if the <svg> tag is used, it… Continue reading Is it practically possible to use SVGs to their full potential while still enjoying all protections offered by Content Security Policy (CSP)?→

What sandbox does an <object> element run in? Can this sandbox be configured?

Posted on March 3, 2022 by jameshfisher

I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.
I currently embed these SVGs using <object> elements. (Unlike <img>, this allows loading external fonts. And unlike using an <… Continue reading What sandbox does an <object> element run in? Can this sandbox be configured?→

Can SVG be a potential threat for tracking scripts and similar?

Posted on November 12, 2021 by Munchkin

Since SVG files can have JavaScript, which would get executed is it a potential threat for malware, tracking scripts and similar stuff?

Continue reading Can SVG be a potential threat for tracking scripts and similar?→