eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-04-27 02:05:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f05bc7c0cd31d8a119bef052d531ac7c68e2e039
ladybird/Tests/LibWeb/Ref/data/svg-with-external-script.svg
Andreas Kling 91cf575b82 LibWeb: Disable script execution for SVG images loaded via <img> 
SVG images loaded as <img> elements must not execute scripts per spec.
Previously, SVGScriptElement::process_the_script_element() did not
check whether scripting was disabled, so script processing was
triggered via the children_changed() callback during XML parsing,
causing a nested event loop spin.

Fix this by:
- Disabling scripting on the SVG image's Page
- Passing XMLScriptingSupport::Disabled to the XML document builder
- Checking is_scripting_disabled() in SVGScriptElement before
  processing any script element
- Logging a diagnostic when SVG XML parsing fails (previously the
  parse result was silently discarded)
2026-02-01 22:48:51 +01:00

5 lines
239 B
XML
Raw Blame History

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100" width="100" height="100">
<rect width="100" height="100" fill="green"/>
<script xlink:href="https://example.com/evil.js"/>
</svg>
Reference in New Issue View Git Blame Copy Permalink