Quote Originally Posted by Boris View Post
My erp is being really tested for vulnerabilities.

I have fixed all but one...

they uploaded an .xml file with the following code:

Code:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">


<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(origin);
   </script>
</svg>
Is there a way I can also check for malicious code inside uploaded .xml's?
There are multiple ways to handle these kind of situations. The main question is where is the data showing? Though the XSS sanitiser (https://downloads.dataaccess.com/dow...01#description) is mainly used for HTML I can imagine it working for this as well if you disallow just script etc instead of using the "only-allowed" mode.

Haven't tried it myself off course. The only thing I can imagine here screwing things up is the xml header being off course non-html but that's up to testing I suppose.

But like I said you know what happends with the data it is not so much a problem as long as you don't put it in an iframe/htmlbox.