Submission Details
Severity:
svg output is prone to adding script despite current approach, which will not show intended svg at first place
Summary
Token symbol can be used to influence the SVG output, which shouldn't be the case in ideal scenerio
Vulnerability Details
NFT descriptor is used to generate svg, metadata for particular NFT using the vesting data. Currently in safeAssetSymbol function length check is added to prevent script injection. But this doesn't fix the issue entirely.
Currently there is no filter added to not allow "<" ">" "script" ";" etc
Attacker can still create an asset, setting symbol within the given constraints to execute a popup. Untill user clicks on it , it won't show the actual nft.
POC
Alice create an asset with ticker symbol ><script>alert(404)</script>
The above string will pass the length check and it will influence the SVG on sablier frontend. The above script when added to SVG, it will always show pop up with showing This page says 404.
To check this, in generateSVG.t.sol
copy the expected svg and replace DAI with above script. Convert it to base64 using Base64.encode(bytes(expectedSVG) or via onlineTool like svgviewer.dev
we'll get output -
data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAwIiBoZWlnaHQ9IjEwMDAiIHZpZXdCb3g9IjAgMCAxMDAwIDEwMDAiPjxyZWN0IHdpZHRoPSIxMDAlIiBoZWlnaHQ9IjEwMCUiIGZpbHRlcj0idXJsKCNOb2lzZSkiLz48cmVjdCB4PSI3MCIgeT0iNzAiIHdpZHRoPSI4NjAiIGhlaWdodD0iODYwIiBmaWxsPSIjZmZmIiBmaWxsLW9wYWNpdHk9Ii4wMyIgcng9IjQ1IiByeT0iNDUiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLW9wYWNpdHk9Ii4xIiBzdHJva2Utd2lkdGg9IjQiLz48ZGVmcz48Y2lyY2xlIGlkPSJHbG93IiByPSI1MDAiIGZpbGw9InVybCgjUmFkaWFsR2xvdykiLz48ZmlsdGVyIGlkPSJOb2lzZSI+PGZlRmxvb2QgeD0iMCIgeT0iMCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZmxvb2QtY29sb3I9ImhzbCgyMzAsMjElLDExJSkiIGZsb29kLW9wYWNpdHk9IjEiIHJlc3VsdD0iZmxvb2RGaWxsIi8+PGZlVHVyYnVsZW5jZSBiYXNlRnJlcXVlbmN5PSIuNCIgbnVtT2N0YXZlcz0iMyIgcmVzdWx0PSJOb2lzZSIgdHlwZT0iZnJhY3RhbE5vaXNlIi8+PGZlQmxlbmQgaW49Ik5vaXNlIiBpbjI9ImZsb29kRmlsbCIgbW9kZT0ic29mdC1saWdodCIvPjwvZmlsdGVyPjxwYXRoIGlkPSJMb2dvIiBmaWxsPSIjZmZmIiBmaWxsLW9wYWNpdHk9Ii4xIiBkPSJtMTMzLjU1OSwxMjQuMDM0Yy0uMDEzLDIuNDEyLTEuMDU5LDQuODQ4LTIuOTIzLDYuNDAyLTIuNTU4LDEuODE5LTUuMTY4LDMuNDM5LTcuODg4LDQuOTk2LTE0LjQ0LDguMjYyLTMxLjA0NywxMi41NjUtNDcuNjc0LDEyLjU2OS04Ljg1OC4wMzYtMTcuODM4LTEuMjcyLTI2LjMyOC0zLjY2My05LjgwNi0yLjc2Ni0xOS4wODctNy4xMTMtMjcuNTYyLTEyLjc3OC0xMy44NDItOC4wMjUsOS40NjgtMjguNjA2LDE2LjE1My0zNS4yNjVoMGMyLjAzNS0xLjgzOCw0LjI1Mi0zLjU0Niw2LjQ2My01LjIyNGgwYzYuNDI5LTUuNjU1LDE2LjIxOC0yLjgzNSwyMC4zNTgsNC4xNyw0LjE0Myw1LjA1Nyw4LjgxNiw5LjY0OSwxMy45MiwxMy43MzRoLjAzN2M1LjczNiw2LjQ2MSwxNS4zNTctMi4yNTMsOS4zOC04LjQ4LDAsMC0zLjUxNS0zLjUxNS0zLjUxNS0zLjUxNS0xMS40OS0xMS40NzgtNTIuNjU2LTUyLjY2NC02NC44MzctNjQuODM3bC4wNDktLjAzN2MtMS43MjUtMS42MDYtMi43MTktMy44NDctMi43NTEtNi4yMDRoMGMtLjA0Ni0yLjM3NSwxLjA2Mi00LjU4MiwyLjcyNi02LjIyOWgwbC4xODUtLjE0OGgwYy4wOTktLjA2MiwuMjIyLS4xNDgsLjM3LS4yNTloMGMyLjA2LTEuMzYyLDMuOTUxLTIuNjIxLDYuMDQ0LTMuODQyQzU3Ljc2My0zLjQ3Myw5Ny43Ni0yLjM0MSwxMjguNjM3LDE4LjMzMmMxNi42NzEsOS45NDYtMjYuMzQ0LDU0LjgxMy0zOC42NTEsNDAuMTk5LTYuMjk5LTYuMDk2LTE4LjA2My0xNy43NDMtMTkuNjY4LTE4LjgxMS02LjAxNi00LjA0Ny0xMy4wNjEsNC43NzYtNy43NTIsOS43NTFsNjguMjU0LDY4LjM3MWMxLjcyNCwxLjYwMSwyLjcxNCwzLjg0LDIuNzM4LDYuMTkyWiIvPjxwYXRoIGlkPSJGbG9hdGluZ1RleHQiIGZpbGw9Im5vbmUiIGQ9Ik0xMjUgNDVoNzUwczgwIDAgODAgODB2NzUwczAgODAgLTgwIDgwaC03NTBzLTgwIDAgLTgwIC04MHYtNzUwczAgLTgwIDgwIC04MCIvPjxyYWRpYWxHcmFkaWVudCBpZD0iUmFkaWFsR2xvdyI+PHN0b3Agb2Zmc2V0PSIwJSIgc3RvcC1jb2xvcj0iaHNsKDE1NSwxOCUsMzAlKSIgc3RvcC1vcGFjaXR5PSIuNiIvPjxzdG9wIG9mZnNldD0iMTAwJSIgc3RvcC1jb2xvcj0iaHNsKDIzMCwyMSUsMTElKSIgc3RvcC1vcGFjaXR5PSIwIi8+PC9yYWRpYWxHcmFkaWVudD48bGluZWFyR3JhZGllbnQgaWQ9IlNhbmRUb3AiIHgxPSIwJSIgeTE9IjAlIj48c3RvcCBvZmZzZXQ9IjAlIiBzdG9wLWNvbG9yPSJoc2woMTU1LDE4JSwzMCUpIi8+PHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSJoc2woMjMwLDIxJSwxMSUpIi8+PC9saW5lYXJHcmFkaWVudD48bGluZWFyR3JhZGllbnQgaWQ9IlNhbmRCb3R0b20iIHgxPSIxMDAlIiB5MT0iMTAwJSI+PHN0b3Agb2Zmc2V0PSIxMCUiIHN0b3AtY29sb3I9ImhzbCgyMzAsMjElLDExJSkiLz48c3RvcCBvZmZzZXQ9IjEwMCUiIHN0b3AtY29sb3I9ImhzbCgxNTUsMTglLDMwJSkiLz48YW5pbWF0ZSBhdHRyaWJ1dGVOYW1lPSJ4MSIgZHVyPSI2cyIgcmVwZWF0Q291bnQ9ImluZGVmaW5pdGUiIHZhbHVlcz0iMzAlOzYwJTsxMjAlOzYwJTszMCU7Ii8+PC9saW5lYXJHcmFkaWVudD48bGluZWFyR3JhZGllbnQgaWQ9IkhvdXJnbGFzc1N0cm9rZSIgZ3JhZGllbnRUcmFuc2Zvcm09InJvdGF0ZSg5MCkiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj48c3RvcCBvZmZzZXQ9IjUwJSIgc3RvcC1jb2xvcj0iaHNsKDE1NSwxOCUsMzAlKSIvPjxzdG9wIG9mZnNldD0iODAlIiBzdG9wLWNvbG9yPSJoc2woMjMwLDIxJSwxMSUpIi8+PC9saW5lYXJHcmFkaWVudD48ZyBpZD0iSG91cmdsYXNzIj48cGF0aCBkPSJNIDUwLDM2MCBhIDMwMCwzMDAgMCAxLDEgNjAwLDAgYSAzMDAsMzAwIDAgMSwxIC02MDAsMCIgZmlsbD0iI2ZmZiIgZmlsbC1vcGFjaXR5PSIuMDIiIHN0cm9rZT0idXJsKCNIb3VyZ2xhc3NTdHJva2UpIiBzdHJva2Utd2lkdGg9IjQiLz48cGF0aCBkPSJtNTY2LDE2MS4yMDF2LTUzLjkyNGMwLTE5LjM4Mi0yMi41MTMtMzcuNTYzLTYzLjM5OC01MS4xOTgtNDAuNzU2LTEzLjU5Mi05NC45NDYtMjEuMDc5LTE1Mi41ODctMjEuMDc5cy0xMTEuODM4LDcuNDg3LTE1Mi42MDIsMjEuMDc5Yy00MC44OTMsMTMuNjM2LTYzLjQxMywzMS44MTYtNjMuNDEzLDUxLjE5OHY1My45MjRjMCwxNy4xODEsMTcuNzA0LDMzLjQyNyw1MC4yMjMsNDYuMzk0djI4NC44MDljLTMyLjUxOSwxMi45Ni01MC4yMjMsMjkuMjA2LTUwLjIyMyw0Ni4zOTR2NTMuOTI0YzAsMTkuMzgyLDIyLjUyLDM3LjU2Myw2My40MTMsNTEuMTk4LDQwLjc2MywxMy41OTIsOTQuOTU0LDIxLjA3OSwxNTIuNjAyLDIxLjA3OXMxMTEuODMxLTcuNDg3LDE1Mi41ODctMjEuMDc5YzQwLjg4Ni0xMy42MzYsNjMuMzk4LTMxLjgxNiw2My4zOTgtNTEuMTk4di01My45MjRjMC0xNy4xOTYtMTcuNzA0LTMzLjQzNS01MC4yMjMtNDYuNDAxVjIwNy42MDNjMzIuNTE5LTEyLjk2Nyw1MC4yMjMtMjkuMjA2LDUwLjIyMy00Ni40MDFabS0zNDcuNDYyLDU3Ljc5M2wxMzAuOTU5LDEzMS4wMjctMTMwLjk1OSwxMzEuMDEzVjIxOC45OTRabTI2Mi45MjQuMDIydjI2Mi4wMThsLTEzMC45MzctMTMxLjAwNiwxMzAuOTM3LTEzMS4wMTNaIiBmaWxsPSIjMTYxODIyIj48L3BhdGg+PHBvbHlnb24gcG9pbnRzPSIzNTAgMzUwLjAyNiA0MTUuMDMgMjg0Ljk3OCAyODUgMjg0Ljk3OCAzNTAgMzUwLjAyNiIgZmlsbD0idXJsKCNTYW5kQm90dG9tKSIvPjxwYXRoIGQ9Im00MTYuMzQxLDI4MS45NzVjMCwuOTE0LS4zNTQsMS44MDktMS4wMzUsMi42OC01LjU0Miw3LjA3Ni0zMi42NjEsMTIuNDUtNjUuMjgsMTIuNDUtMzIuNjI0LDAtNTkuNzM4LTUuMzc0LTY1LjI4LTEyLjQ1LS42ODEtLjg3Mi0xLjAzNS0xLjc2Ny0xLjAzNS0yLjY4LDAtLjkxNC4zNTQtMS44MDgsMS4wMzUtMi42NzYsNS41NDItNy4wNzYsMzIuNjU2LTEyLjQ1LDY1LjI4LTEyLjQ1LDMyLjYxOSwwLDU5LjczOCw1LjM3NCw2NS4yOCwxMi40NS42ODEuODY3LDEuMDM1LDEuNzYyLDEuMDM1LDIuNjc2WiIgZmlsbD0idXJsKCNTYW5kVG9wKSIvPjxwYXRoIGQ9Im00ODEuNDYsNTA0LjEwMXY1OC40NDljLTIuMzUuNzctNC44MiwxLjUxLTcuMzksMi4yMy0zMC4zLDguNTQtNzQuNjUsMTMuOTItMTI0LjA2LDEzLjkyLTUzLjYsMC0xMDEuMjQtNi4zMy0xMzEuNDctMTYuMTZ2LTU4LjQzOWgyNjIuOTJaIiBmaWxsPSJ1cmwoI1NhbmRCb3R0b20pIi8+PGVsbGlwc2UgY3g9IjM1MCIgY3k9IjUwNC4xMDEiIHJ4PSIxMzEuNDYyIiByeT0iMjguMTA4IiBmaWxsPSJ1cmwoI1NhbmRUb3ApIi8+PGcgZmlsbD0ibm9uZSIgc3Ryb2tlPSJ1cmwoI0hvdXJnbGFzc1N0cm9rZSkiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLW1pdGVybGltaXQ9IjEwIiBzdHJva2Utd2lkdGg9IjQiPjxwYXRoIGQ9Im01NjUuNjQxLDEwNy4yOGMwLDkuNTM3LTUuNTYsMTguNjI5LTE1LjY3NiwyNi45NzNoLS4wMjNjLTkuMjA0LDcuNTk2LTIyLjE5NCwxNC41NjItMzguMTk3LDIwLjU5Mi0zOS41MDQsMTQuOTM2LTk3LjMyNSwyNC4zNTUtMTYxLjczMywyNC4zNTUtOTAuNDgsMC0xNjcuOTQ4LTE4LjU4Mi0xOTkuOTUzLTQ0Ljk0OGgtLjAyM2MtMTAuMTE1LTguMzQ0LTE1LjY3Ni0xNy40MzctMTUuNjc2LTI2Ljk3MywwLTM5LjczNSw5Ni41NTQtNzEuOTIxLDIxNS42NTItNzEuOTIxczIxNS42MjksMzIuMTg1LDIxNS42MjksNzEuOTIxWiIvPjxwYXRoIGQ9Im0xMzQuMzYsMTYxLjIwM2MwLDM5LjczNSw5Ni41NTQsNzEuOTIxLDIxNS42NTIsNzEuOTIxczIxNS42MjktMzIuMTg2LDIxNS42MjktNzEuOTIxIi8+PGxpbmUgeDE9IjEzNC4zNiIgeTE9IjE2MS4yMDMiIHgyPSIxMzQuMzYiIHkyPSIxMDcuMjgiLz48bGluZSB4MT0iNTY1LjY0IiB5MT0iMTYxLjIwMyIgeDI9IjU2NS42NCIgeTI9IjEwNy4yOCIvPjxsaW5lIHgxPSIxODQuNTg0IiB5MT0iMjA2LjgyMyIgeDI9IjE4NC41ODUiIHkyPSI1MzcuNTc5Ii8+PGxpbmUgeDE9IjIxOC4xODEiIHkxPSIyMTguMTE4IiB4Mj0iMjE4LjE4MSIgeTI9IjU2Mi41MzciLz48bGluZSB4MT0iNDgxLjgxOCIgeTE9IjIxOC4xNDIiIHgyPSI0ODEuODE5IiB5Mj0iNTYyLjQyOCIvPjxsaW5lIHgxPSI1MTUuNDE1IiB5MT0iMjA3LjM1MiIgeDI9IjUxNS40MTYiIHkyPSI1MzcuNTc5Ii8+PHBhdGggZD0ibTE4NC41OCw1MzcuNThjMCw1LjQ1LDQuMjcsMTAuNjUsMTIuMDMsMTUuNDJoLjAyYzUuNTEsMy4zOSwxMi43OSw2LjU1LDIxLjU1LDkuNDIsMzAuMjEsOS45LDc4LjAyLDE2LjI4LDEzMS44MywxNi4yOCw0OS40MSwwLDkzLjc2LTUuMzgsMTI0LjA2LTEzLjkyLDIuNy0uNzYsNS4yOS0xLjU0LDcuNzUtMi4zNSw4Ljc3LTIuODcsMTYuMDUtNi4wNCwyMS41Ni05LjQzaDBjNy43Ni00Ljc3LDEyLjA0LTkuOTcsMTIuMDQtMTUuNDIiLz48cGF0aCBkPSJtMTg0LjU4Miw0OTIuNjU2Yy0zMS4zNTQsMTIuNDg1LTUwLjIyMywyOC41OC01MC4yMjMsNDYuMTQyLDAsOS41MzYsNS41NjQsMTguNjI3LDE1LjY3NywyNi45NjloLjAyMmM4LjUwMyw3LjAwNSwyMC4yMTMsMTMuNDYzLDM0LjUyNCwxOS4xNTksOS45OTksMy45OTEsMjEuMjY5LDcuNjA5LDMzLjU5NywxMC43ODgsMzYuNDUsOS40MDcsODIuMTgxLDE1LjAwMiwxMzEuODM1LDE1LjAwMnM5NS4zNjMtNS41OTUsMTMxLjgwNy0xNS4wMDJjMTAuODQ3LTIuNzksMjAuODY3LTUuOTI2LDI5LjkyNC05LjM0OSwxLjI0NC0uNDY3LDIuNDczLS45NDIsMy42NzMtMS40MjQsMTQuMzI2LTUuNjk2LDI2LjAzNS0xMi4xNjEsMzQuNTI0LTE5LjE3M2guMDIyYzEwLjExNC04LjM0MiwxNS42NzctMTcuNDMzLDE1LjY3Ny0yNi45NjksMC0xNy41NjItMTguODY5LTMzLjY2NS01MC4yMjMtNDYuMTUiLz48cGF0aCBkPSJtMTM0LjM2LDU5Mi43MmMwLDM5LjczNSw5Ni41NTQsNzEuOTIxLDIxNS42NTIsNzEuOTIxczIxNS42MjktMzIuMTg2LDIxNS42MjktNzEuOTIxIi8+PGxpbmUgeDE9IjEzNC4zNiIgeTE9IjU5Mi43MiIgeDI9IjEzNC4zNiIgeTI9IjUzOC43OTciLz48bGluZSB4MT0iNTY1LjY0IiB5MT0iNTkyLjcyIiB4Mj0iNTY1LjY0IiB5Mj0iNTM4Ljc5NyIvPjxwb2x5bGluZSBwb2ludHM9IjQ4MS44MjIgNDgxLjkwMSA0ODEuNzk4IDQ4MS44NzcgNDgxLjc3NSA0ODEuODU0IDM1MC4wMTUgMzUwLjAyNiAyMTguMTg1IDIxOC4xMjkiLz48cG9seWxpbmUgcG9pbnRzPSIyMTguMTg1IDQ4MS45MDEgMjE4LjIzMSA0ODEuODU0IDM1MC4wMTUgMzUwLjAyNiA0ODEuODIyIDIxOC4xNTIiLz48L2c+PC9nPjxnIGlkPSJQcm9ncmVzcyIgZmlsbD0iI2ZmZiI+PHJlY3Qgd2lkdGg9IjE0NCIgaGVpZ2h0PSIxMDAiIGZpbGwtb3BhY2l0eT0iLjAzIiByeD0iMTUiIHJ5PSIxNSIgc3Ryb2tlPSIjZmZmIiBzdHJva2Utb3BhY2l0eT0iLjEiIHN0cm9rZS13aWR0aD0iNCIvPjx0ZXh0IHg9IjIwIiB5PSIzNCIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjJweCI+UHJvZ3Jlc3M8L3RleHQ+PHRleHQgeD0iMjAiIHk9IjcyIiBmb250LWZhbWlseT0iXCdDb3VyaWVyIE5ld1wnLEFyaWFsLG1vbm9zcGFjZSIgZm9udC1zaXplPSIyNnB4Ij4wJTwvdGV4dD48L2c+PGcgaWQ9IlN0YXR1cyIgZmlsbD0iI2ZmZiI+PHJlY3Qgd2lkdGg9IjE1MiIgaGVpZ2h0PSIxMDAiIGZpbGwtb3BhY2l0eT0iLjAzIiByeD0iMTUiIHJ5PSIxNSIgc3Ryb2tlPSIjZmZmIiBzdHJva2Utb3BhY2l0eT0iLjEiIHN0cm9rZS13aWR0aD0iNCIvPjx0ZXh0IHg9IjIwIiB5PSIzNCIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjJweCI+U3RhdHVzPC90ZXh0Pjx0ZXh0IHg9IjIwIiB5PSI3MiIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjZweCI+UGVuZGluZzwvdGV4dD48L2c+PGcgaWQ9IkFtb3VudCIgZmlsbD0iI2ZmZiI+PHJlY3Qgd2lkdGg9IjExOCIgaGVpZ2h0PSIxMDAiIGZpbGwtb3BhY2l0eT0iLjAzIiByeD0iMTUiIHJ5PSIxNSIgc3Ryb2tlPSIjZmZmIiBzdHJva2Utb3BhY2l0eT0iLjEiIHN0cm9rZS13aWR0aD0iNCIvPjx0ZXh0IHg9IjIwIiB5PSIzNCIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjJweCI+QW1vdW50PC90ZXh0Pjx0ZXh0IHg9IjIwIiB5PSI3MiIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjZweCI+MTAwPC90ZXh0PjwvZz48ZyBpZD0iRHVyYXRpb24iIGZpbGw9IiNmZmYiPjxyZWN0IHdpZHRoPSIxNDQiIGhlaWdodD0iMTAwIiBmaWxsLW9wYWNpdHk9Ii4wMyIgcng9IjE1IiByeT0iMTUiIHN0cm9rZT0iI2ZmZiIgc3Ryb2tlLW9wYWNpdHk9Ii4xIiBzdHJva2Utd2lkdGg9IjQiLz48dGV4dCB4PSIyMCIgeT0iMzQiIGZvbnQtZmFtaWx5PSJcJ0NvdXJpZXIgTmV3XCcsQXJpYWwsbW9ub3NwYWNlIiBmb250LXNpemU9IjIycHgiPkR1cmF0aW9uPC90ZXh0Pjx0ZXh0IHg9IjIwIiB5PSI3MiIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZvbnQtc2l6ZT0iMjZweCI+NSBEYXlzPC90ZXh0PjwvZz48L2RlZnM+PHRleHQgdGV4dC1yZW5kZXJpbmc9Im9wdGltaXplU3BlZWQiPjx0ZXh0UGF0aCBzdGFydE9mZnNldD0iLTEwMCUiIGhyZWY9IiNGbG9hdGluZ1RleHQiIGZpbGw9IiNmZmYiIGZvbnQtZmFtaWx5PSJcJ0NvdXJpZXIgTmV3XCcsQXJpYWwsbW9ub3NwYWNlIiBmaWxsLW9wYWNpdHk9Ii44IiBmb250LXNpemU9IjI2cHgiPjxhbmltYXRlIGFkZGl0aXZlPSJzdW0iIGF0dHJpYnV0ZU5hbWU9InN0YXJ0T2Zmc2V0IiBiZWdpbj0iMHMiIGR1cj0iNTBzIiBmcm9tPSIwJSIgcmVwZWF0Q291bnQ9ImluZGVmaW5pdGUiIHRvPSIxMDAlIi8+MHhmM2EwNDVkYzk4NjAxNWJlOWFlNDNiYjM0NjJhZTU5ODFiMDgxNmUwIOKAoiBTYWJsaWVyIFYyIExvY2t1cCBMaW5lYXI8L3RleHRQYXRoPjx0ZXh0UGF0aCBzdGFydE9mZnNldD0iMCUiIGhyZWY9IiNGbG9hdGluZ1RleHQiIGZpbGw9IiNmZmYiIGZvbnQtZmFtaWx5PSJcJ0NvdXJpZXIgTmV3XCcsQXJpYWwsbW9ub3NwYWNlIiBmaWxsLW9wYWNpdHk9Ii44IiBmb250LXNpemU9IjI2cHgiPjxhbmltYXRlIGFkZGl0aXZlPSJzdW0iIGF0dHJpYnV0ZU5hbWU9InN0YXJ0T2Zmc2V0IiBiZWdpbj0iMHMiIGR1cj0iNTBzIiBmcm9tPSIwJSIgcmVwZWF0Q291bnQ9ImluZGVmaW5pdGUiIHRvPSIxMDAlIi8+MHhmM2EwNDVkYzk4NjAxNWJlOWFlNDNiYjM0NjJhZTU5ODFiMDgxNmUwIOKAoiBTYWJsaWVyIFYyIExvY2t1cCBMaW5lYXI8L3RleHRQYXRoPjx0ZXh0UGF0aCBzdGFydE9mZnNldD0iLTUwJSIgaHJlZj0iI0Zsb2F0aW5nVGV4dCIgZmlsbD0iI2ZmZiIgZm9udC1mYW1pbHk9IlwnQ291cmllciBOZXdcJyxBcmlhbCxtb25vc3BhY2UiIGZpbGwtb3BhY2l0eT0iLjgiIGZvbnQtc2l6ZT0iMjZweCI+PGFuaW1hdGUgYWRkaXRpdmU9InN1bSIgYXR0cmlidXRlTmFtZT0ic3RhcnRPZmZzZXQiIGJlZ2luPSIwcyIgZHVyPSI1MHMiIGZyb209IjAlIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgdG89IjEwMCUiLz4weDAzYTZhODRjZDc2MmQ5NzA3YTIxNjA1YjU0OGFhYWI4OTE1NjJhYWIg4oCiID48c2NyaXB0PmFsZXJ0KDQwNCk8L3NjcmlwdD48L3RleHRQYXRoPjx0ZXh0UGF0aCBzdGFydE9mZnNldD0iNTAlIiBocmVmPSIjRmxvYXRpbmdUZXh0IiBmaWxsPSIjZmZmIiBmb250LWZhbWlseT0iXCdDb3VyaWVyIE5ld1wnLEFyaWFsLG1vbm9zcGFjZSIgZmlsbC1vcGFjaXR5PSIuOCIgZm9udC1zaXplPSIyNnB4Ij48YW5pbWF0ZSBhZGRpdGl2ZT0ic3VtIiBhdHRyaWJ1dGVOYW1lPSJzdGFydE9mZnNldCIgYmVnaW49IjBzIiBkdXI9IjUwcyIgZnJvbT0iMCUiIHJlcGVhdENvdW50PSJpbmRlZmluaXRlIiB0bz0iMTAwJSIvPjB4MDNhNmE4NGNkNzYyZDk3MDdhMjE2MDViNTQ4YWFhYjg5MTU2MmFhYiDigKIgPjxzY3JpcHQ+YWxlcnQoNDA0KTwvc2NyaXB0PjwvdGV4dFBhdGg+PC90ZXh0Pjx1c2UgaHJlZj0iI0dsb3ciIGZpbGwtb3BhY2l0eT0iLjkiLz48dXNlIGhyZWY9IiNHbG93IiB4PSIxMDAwIiB5PSIxMDAwIiBmaWxsLW9wYWNpdHk9Ii45Ii8+PHVzZSBocmVmPSIjTG9nbyIgeD0iMTcwIiB5PSIxNzAiIHRyYW5zZm9ybT0ic2NhbGUoLjYpIi8+PHVzZSBocmVmPSIjSG91cmdsYXNzIiB4PSIxNTAiIHk9IjkwIiB0cmFuc2Zvcm09InJvdGF0ZSgxMCkiIHRyYW5zZm9ybS1vcmlnaW49IjUwMCA1MDAiLz48dXNlIGhyZWY9IiNQcm9ncmVzcyIgeD0iMTk3IiB5PSI3OTAiLz48dXNlIGhyZWY9IiNTdGF0dXMiIHg9IjM1NyIgeT0iNzkwIi8+PHVzZSBocmVmPSIjQW1vdW50IiB4PSI1MjUiIHk9Ijc5MCIvPjx1c2UgaHJlZj0iI0R1cmF0aW9uIiB4PSI2NTkiIHk9Ijc5MCIvPjwvc3ZnPg==
Impact
Unintended SVG output could leads users to confusion.
Tools Used
Manual Review
Recommendations
Do not allow ">", "<", "script" ";" to prevent this issue to keep SVG display uniform in any condition.
Prize pool breakdown
Total prize
53,440 USDC
nSLOC
2,65520 USDC / LOC
45,000 USDC
3,100 USDC
5,340 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.