Shopware: Stored XSS via SVG file upload — no SVG sanitization
SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, `, ) executes in the context of the Shopware domain when accessed.
The Problem
In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:
allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.
A search of the entire codebase for SVG sanitization returns — no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.
Impact
Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.
Suggested Fix
Either:
- Remove SVG from allowed_extensions
if SVG upload is not a core requirement - Sanitize SVG content on upload using a library like enshrined/svg-sanitize
(strips scripts, event handlers, external references) - Serve SVGs with Content-Disposition: attachment
to prevent inline rendering - Serve SVGs from a separate domain (like Nextcloud's usercontent.apps.nextcloud.com
)
Option 2 is the most practical — enshrined/svg-sanitize` is already used by WordPress and other PHP projects.
Regards & BG, Keyvan Hardani