You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2011-27
Mozilla Foundation Security Advisory 2011-27
Title: XSS encoding hazard with inline SVG
Impact: Moderate
Announced: June 21, 2011
Reporter: Mario Heiderich
Products: Firefox, SeaMonkey
Fixed in: Firefox 5
SeaMonkey 2.2
Description
Security researcher Mario Heiderich reported that HTML-encoded entities were being improperly decoded when displayed inside SVG elements. This could lead to XSS attacks on sites relying on HTML encoding of user-supplied content.
The inline SVG feature was introduced in the browser engine used by Firefox 4 and SeaMonkey 2.1; the vulnerability does not affect earlier versions.