Command Palette

Search for a command to run...

Relottie Ecosystem - Security

Understand security considerations when using Relottie. Learn about Lottie expressions, XSS risks, and best practices for secure Lottie processing.

Ecosystem: Security Considerations

When working with relottie and processing Lottie files, especially those from untrusted sources, it's important to be aware of potential security implications, primarily related to Lottie Expressions.

Lottie Expressions and XSS Risk

  • What are Expressions? Lottie supports JavaScript-based expressions within the animation data. These expressions allow for dynamic property values and interactions directly within the animation itself.

  • The Risk: If a Lottie file containing malicious JavaScript expressions is processed and rendered in an environment that executes those expressions (like some web players), it can lead to Cross-Site Scripting (XSS) vulnerabilities. An attacker could potentially inject code that executes in the context of the user's browser.

How relottie Handles Expressions

  • Parsing and Stringifying: relottie itself, through relottie-parse and relottie-stringify, does not execute JavaScript expressions. It treats them as data within the LAST tree.

  • Identification: The Root node in the LAST tree includes a hasExpressions: boolean flag, specifically added to help identify if an animation potentially contains expressions early in the processing pipeline.

  • Plugin Responsibility: Individual relottie plugins could potentially interact with expression content. If a plugin were designed to evaluate or improperly manipulate expression strings, it could introduce risks.

Recommendations

  1. Assess Your Plugins: Carefully review any relottie plugins you use, especially third-party ones. Understand if and how they interact with expression-related nodes in the LAST tree. Avoid plugins that unnecessarily evaluate expression content.

  2. Validate Input: Whenever possible, process Lottie files only from trusted sources. If you must handle untrusted Lottie files, be extra cautious.

  3. Check hasExpressions: Use the hasExpressions flag on the Root node of the LAST tree as an initial check. If true, apply extra scrutiny or potentially sanitize/reject the file depending on your application's security requirements.

  4. Secure Rendering: The primary risk comes from rendering Lottie files with expressions in a vulnerable context. Ensure that the Lottie player or environment you use downstream has appropriate security measures or allows disabling expression execution if needed.

  5. Sanitization (Advanced): For advanced use cases, you could potentially create a custom relottie plugin to specifically find and remove or neutralize expression properties within the LAST tree before stringifying or further processing.

In summary: While relottie core tools don't execute expressions, the nature of Lottie files means developers using the ecosystem must be aware of the potential risks associated with expressions, especially when handling untrusted input or using third-party plugins.

Last updated: April 10, 2026 at 9:12 AMEdit this page
Previous

Relottie Ecosystem - Plugins

Next

relottie API Reference