Stored XSS via SVG Upload Horizontal Tab Character Filter Evasion
Vulnerability Summary
Stored Cross-Site Scripting via SVG File Upload Filter Bypass
VULNERABILITY SUMMARY
Due to a severe misconfiguration in how the platform's sanitization layer processes URI schemes within SVG documents, an attacker is able to upload a crafted SVG file that, once stored server-side and rendered inline for any user who opens the shared conversation, silently executes arbitrary JavaScript under the platform's origin — with full access to session cookies, tokens, and DOM context.
Censorship Note: All data (domains, paths, URIs, and variables) have been strictly anonymized using entirely fictional nomenclature (e.g., redactedchat.net). This report documents an indirect execution of arbitrary JavaScript within a simulated environment to guarantee 100% privacy for the original enterprise.
Vulnerability Analysis
Modern chat platforms frequently allow users to attach image files, including SVG, to enhance conversation context. Unlike raster formats (PNG, JPEG), SVG is an XML-based format that natively supports scripting, event handlers, and — critically — anchor elements with href attributes capable of carrying URI schemes such as javascript:.
The platform had implemented a sanitization routine designed to detect and remove javascript: URIs from SVG <a href> attributes before storing and rendering the file. The filter operated by performing a direct string comparison against the raw attribute value.
The discovered flaw lay in how browsers normalize URI schemes prior to processing them. The HTML specification defines that ASCII control characters — including the horizontal tab (U+0009) — are silently stripped or ignored by the browser's URL parser when encountered within a URI scheme. This means a value such as:
j	avascript:confirm(document.cookie)
is treated by any standards-compliant browser as a fully valid javascript: URI, while the platform's sanitization routine, operating on the raw, un-normalized string, fails to recognize the scheme and permits the value through without modification.
The malicious SVG is stored on the platform's servers exactly as submitted. Every subsequent user who opens the shared conversation has the file rendered inline inside the main application origin, and a single click on the visible link triggers execution.