Fabric.js Stored Cross-Site Scripting Vulnerability via SVG Export

A stored cross-site scripting vulnerability has been identified in Fabric.js versions prior to 7.2.0. The issue arises during SVG export, where user-controlled string values are not properly escaped, allowing for the injection of arbitrary SVG elements and event handlers. This vulnerability can be exploited by loading attacker-controlled JSON into the application, which is then exported as SVG and rendered in a browser context.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user's browser session, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, load a JSON object containing unescaped strings into a Fabric.js canvas using the `loadFromJSON()` method. Ensure that the strings are crafted to break out of SVG attributes and inject SVG elements, such as images or event handlers. After exporting the canvas to SVG with the `toSVG()` method, the injected scripts will execute when the SVG is rendered in a browser.

Remediation

Users can update to Fabric.js version 7.2.0 or later, where this vulnerability has been fixed.