Remove all known unsafe attrs from SVG during sanitization; Add Content-Security-Policy header to response

processing_handler.go

@@ -128,6 +128,8 @@ func respondWithImage(reqID string, r *http.Request, rw http.ResponseWriter, sta
 		rw.Header().Set("X-Result-Height", resultData.Headers["X-Result-Height"])
 	}
 
+	rw.Header().Set("Content-Security-Policy", "script-src 'none'")
+
 	rw.Header().Set("Content-Length", strconv.Itoa(len(resultData.Data)))
 	rw.WriteHeader(statusCode)
 	rw.Write(resultData.Data)

svg/svg.go

@@ -73,7 +73,7 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) {
 			}
 			buf.Write(tdata)
 		case xml.AttributeToken:
-			if strings.ToLower(string(l.Text())) == "onload" {
+			if _, unsafe := unsafeAttrs[strings.ToLower(string(l.Text()))]; unsafe {
 				continue
 			}
 			buf.Write(tdata)

svg/unsafe_attrs.go

@@ -0,0 +1,114 @@
+package svg
+
+var unsafeAttrs = map[string]struct{}{
+	"onafterprint":               {},
+	"onafterscriptexecute":       {},
+	"onanimationcancel":          {},
+	"onanimationend":             {},
+	"onanimationiteration":       {},
+	"onanimationstart":           {},
+	"onauxclick":                 {},
+	"onbeforecopy":               {},
+	"onbeforecut":                {},
+	"onbeforeinput":              {},
+	"onbeforeprint":              {},
+	"onbeforescriptexecute":      {},
+	"onbeforeunload":             {},
+	"onbegin":                    {},
+	"onblur":                     {},
+	"onbounce":                   {},
+	"oncanplay":                  {},
+	"oncanplaythrough":           {},
+	"onchange":                   {},
+	"onclick":                    {},
+	"onclose":                    {},
+	"oncontextmenu":              {},
+	"oncopy":                     {},
+	"oncuechange":                {},
+	"oncut":                      {},
+	"ondblclick":                 {},
+	"ondrag":                     {},
+	"ondragend":                  {},
+	"ondragenter":                {},
+	"ondragleave":                {},
+	"ondragover":                 {},
+	"ondragstart":                {},
+	"ondrop":                     {},
+	"ondurationchange":           {},
+	"onend":                      {},
+	"onended":                    {},
+	"onerror":                    {},
+	"onfinish":                   {},
+	"onfocus":                    {},
+	"onfocusin":                  {},
+	"onfocusout":                 {},
+	"onfullscreenchange":         {},
+	"onhashchange":               {},
+	"oninput":                    {},
+	"oninvalid":                  {},
+	"onkeydown":                  {},
+	"onkeypress":                 {},
+	"onkeyup":                    {},
+	"onload":                     {},
+	"onloadeddata":               {},
+	"onloadedmetadata":           {},
+	"onloadend":                  {},
+	"onloadstart":                {},
+	"onmessage":                  {},
+	"onmousedown":                {},
+	"onmouseenter":               {},
+	"onmouseleave":               {},
+	"onmousemove":                {},
+	"onmouseout":                 {},
+	"onmouseover":                {},
+	"onmouseup":                  {},
+	"onmousewheel":               {},
+	"onmozfullscreenchange":      {},
+	"onpagehide":                 {},
+	"onpageshow":                 {},
+	"onpaste":                    {},
+	"onpause":                    {},
+	"onplay":                     {},
+	"onplaying":                  {},
+	"onpointerdown":              {},
+	"onpointerenter":             {},
+	"onpointerleave":             {},
+	"onpointermove":              {},
+	"onpointerout":               {},
+	"onpointerover":              {},
+	"onpointerrawupdate":         {},
+	"onpointerup":                {},
+	"onpopstate":                 {},
+	"onprogress":                 {},
+	"onratechange":               {},
+	"onrepeat":                   {},
+	"onreset":                    {},
+	"onresize":                   {},
+	"onscroll":                   {},
+	"onsearch":                   {},
+	"onseeked":                   {},
+	"onseeking":                  {},
+	"onselect":                   {},
+	"onselectionchange":          {},
+	"onselectstart":              {},
+	"onshow":                     {},
+	"onstart":                    {},
+	"onsubmit":                   {},
+	"ontimeupdate":               {},
+	"ontoggle":                   {},
+	"ontouchend":                 {},
+	"ontouchmove":                {},
+	"ontouchstart":               {},
+	"ontransitioncancel":         {},
+	"ontransitionend":            {},
+	"ontransitionrun":            {},
+	"ontransitionstart":          {},
+	"onunhandledrejection":       {},
+	"onunload":                   {},
+	"onvolumechange":             {},
+	"onwebkitanimationend":       {},
+	"onwebkitanimationiteration": {},
+	"onwebkitanimationstart":     {},
+	"onwebkittransitionend":      {},
+	"onwheel":                    {},
+}