c# - aspose.html - convert svg - xxe injection - Stack Overflow

admin管理员组

文章数量:1180552

I'm converting svg images to png using aspose.html. I haven't found a way to disable external entity injection while converting these images.

The test .svg looks like this:

<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file://C:/WINDOWS/System32/drivers/etc/hosts" > ]>
<svg width="128px" height="128px" xmlns=";>
  <foreignObject width="100%" height="100%">
    <body xmlns=";>
      <div style="font-size: 50px; line-height: 1.2;">
        &xxe;
      </div>
    </body>
  </foreignObject>
</svg>

and my code looks like this:

using Aspose.Html;
using Aspose.Html.Converters;
using Aspose.Html.Dom.Svg;
using Aspose.Html.Saving;

License license = new License();
license.SetLicense(@"C:\temp\Aspose License\Aspose.Total.lic");
string svgPath =@"C:\temp\xml_external_entity.svg";
string pngPath = "output.png";


 var configuration = new Aspose.Html.Configuration();
 //.html/sandbox/
 configuration.Security |= Sandbox.Navigation;
 configuration.Security |= Sandbox.AuxiliaryNavigation;
 configuration.Security |= Sandbox.TopLevelNavigation;
 configuration.Security |= Sandbox.Plugins;
 configuration.Security |= Sandbox.Origin;
 configuration.Security |= Sandbox.Forms;
 configuration.Security |= Sandbox.Scripts;
 configuration.Security |= Sandbox.PointerLock;
 configuration.Security |= Sandbox.AutomaticFeatures;
 configuration.Security |= Sandbox.Fullscreen;
 configuration.Security |= Sandbox.DocumentDomain;
 configuration.Security |= Sandbox.Images;

using (var document = new SVGDocument(svgPath, configuration))
{
    var options = new ImageSaveOptions(Aspose.Html.Rendering.Image.ImageFormat.Png);
    Converter.ConvertSVG(document, options, pngPath);
}

No matter which security options I try, I always get the contents of my hosts file in the preview. Are there any other security options I can try?

本文标签： casposehtmlconvert svgxxe injectionStack Overflow