Mozilla Foundation Security Advisory 2011-27

XSS encoding hazard with inline SVG

Announced
June 21, 2011
Reporter
Mario Heiderich
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 5
  • SeaMonkey 2.2

Description

Security researcher Mario Heiderich reported that HTML-encoded entities were being improperly decoded when displayed inside SVG elements. This could lead to XSS attacks on sites relying on HTML encoding of user-supplied content.

The inline SVG feature was introduced in the browser engine used by Firefox 4 and SeaMonkey 2.1; the vulnerability does not affect earlier versions.

References