HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
2096Make it impossible for an SVG file not labelled as SVG to be sniffed as a valid image in <img> (that would allow privilege escalation), but do allow a correctly-labelled SVG to be processed as such.2008-08-21 10:06
@@ -3690,22 +3690,21 @@
    unknown type">unknown type</i> step below.</p> <!-- In a study
    looking at many billions of pages whose first five characters were
    "<HTML", "unknown/unknown" was used to label documents about once
    for every 5000 pages labeled "text/html", and "application/unknown"
    was used about once for every 35000 pages labeled
    "text/html". --></li>
 
    <li><p>If <var title="">official type</var> ends in "+xml", or if
    it is either "text/xml" or "application/xml", then the sniffed
    type of the resource is <var title="">official type</var>; return
-   that and abort these steps.</p></li> <!-- we don't want
-   image/svg+xml going through the next step -->
+   that and abort these steps.</p></li>
 
    <li><p>If <var title="">official type</var> is an image type
    supported by the user agent (e.g. "image/png", "image/gif",
    "image/jpeg", etc), then jump to the <i title="content-type
    sniffing: image">images</i> section below, passing it the <var
    title="">official type</var>.</p></li>
 
    <li><p>If <var title="">official type</var> is "text/html", then
    jump to the <i title="content-type sniffing: feed or html">feed or
    HTML</i> section below.</p></li>
@@ -4074,22 +4073,26 @@
   HTML anyway and allows script to execute).</p>
 
   <p>The column marked "security" is used by the algorithm in the
   "text or binary" section, to avoid sniffing <code
   title="">text/plain</code> content as a type that can be used for a
   privilege escalation attack.</p>
 
 
   <h4><dfn>Content-Type sniffing: image</dfn></h4>
 
-  <p>If the first bytes of the resource match one of the byte
-  sequences in the first column of the following table, then the
+  <p>If the resource's <var title="">official type</var> is
+  "image/svg+xml", then the sniffed type of the resource is its <var
+  title="">official type</var> (an XML type).</p>
+
+  <p>Otherwise, if the first bytes of the resource match one of the
+  byte sequences in the first column of the following table, then the
   sniffed type of the resource is the type given in the corresponding
   cell in the second column on the same row:</p>
 
   <table>
    <thead>
     <tr>
      <th>Bytes in Hexadecimal
      <th>Sniffed type
      <th>Comment
 
@@ -13553,21 +13556,23 @@ interface <dfn>HTMLImageElement</dfn> : <span>HTMLElement</span> {
   the response code was a 2xx code or equivalent) must be ignored when
   determining the image's type and whether it is a valid image.</p>
 
   <p class="note">This allows servers to return images with error
   responses, and have them displayed.</p>
 
   <p>The user agents should apply the <span title="Content-Type
   sniffing: image">image sniffing rules</span> to determine the type
   of the image, with the image's <span title="Content-Type">associated
   Content-Type headers</span> giving the <var title="">official
-  type</var>.</p>
+  type</var>. If these rules are not applied, then the type of the
+  image must be the type given by the image's <span
+  title="Content-Type">associated Content-Type headers</span>.</p>
 
   <p>User agents must not support non-image resources with the
   <code>img</code> element (e.g. XML files whose root element is an
   HTML element). User agents must not run executable code
   (e.g. scripts) embedded in the image resource. User agents must only
   display the first page of a multipage resource (e.g. a PDF
   file). User agents must not allow the resource to act in an
   interactive fashion, but should honour any animation in the
   resource.</p>
 

|