[C-10] Unsanitized SVG upload in branding → stored XSS

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: CRITICAL

Location: src/Controllers/AdminBrandingController.php:287-288

Bug: image/svg+xml in allowed MIME list; SVG goes to public/assets/branding/ unchanged. SVG

Fix: Drop SVG from allowed MIMEs or run through an SVG sanitizer.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:30pm

Resolved.

Removed image/svg+xml from the allowed-MIME list in AdminBrandingController::handleBrandingUpload (src/Controllers/AdminBrandingController.php).

Super admins can still upload JPG, PNG, WEBP for logos and covers, and ICO for the favicon — but SVG is refused with a clear error message explaining why.

Rationale: branding assets are loaded on every page, so one SVG containing <script> or onload= would be stored XSS against every visitor. Raster formats only avoids the need to embed an SVG sanitizer dependency.

If we need SVG branding in the future, the right fix is enshrined/svg-sanitize before storage — but that's a larger change with a new dependency; not worth shipping today.

Locking this thread.

Related Discussions

[M-14] Upload credits paid before admin approval
Security Issues · 0 replies · 1 views
[M-13] Bulk upload allows top-level area (files invisible in UI)
Security Issues · 0 replies · 2 views
[H-14] Forum rules stored unpurified
Security Issues · 0 replies · 1 views
[H-4] SVG file uploads retain .svg extension
Security Issues · 0 replies · 2 views
[M-12] AdminFileController::reject/deleteFile don't basename() stored_name
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy