SVG SECURITY
Simple and lightweight library that helps to validate SVG files in security manners.
It will help you in detecting malicious content inside uploaded SVGs.
Are you aware that SVG can cause XSS?
Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.
Example
Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are vulnerable to XSS attack.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>
Usage
Add library dependency:
compile "com.github.bgalek.security.svg:safe-svg:1.1.2"
You can use this library to check uploaded svg files
String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
"<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
"<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
"<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
"<script type=\"text/javascript\">\n" +
"alert('Hello, world!');\n" +
"</script>\n" +
"</svg>";
ValidationResult validation = svgSecurityValidator.validate(svg);
if (validation.hasViolations()) {
throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
}