Add sanitation

src/ImageSharp.Web/ExifOrientationUtilities.cs

@@ -1,7 +1,6 @@
 // Copyright (c) Six Labors.
 // Licensed under the Apache License, Version 2.0.
 
-using System;
 using System.Numerics;
 using System.Runtime.CompilerServices;
 using SixLabors.ImageSharp.Metadata.Profiles.Exif;
@@ -64,6 +63,7 @@ public static Vector2 Transform(Vector2 position, Vector2 min, Vector2 max, usho
                     builder.AppendRotationDegrees(90);
                     break;
                 default:
+                    // Use identity matrix.
                     break;
             }
 

src/ImageSharp.Web/Middleware/ImageSharpMiddlewareOptions.cs

@@ -25,7 +25,6 @@ public class ImageSharpMiddlewareOptions
             }
 
             // It's a good idea to have this to provide very basic security.
-            // We can safely use the static resize processor properties.
             uint width = c.Parser.ParseValue<uint>(
                 c.Commands.GetValueOrDefault(ResizeWebProcessor.Width),
                 c.Culture);
@@ -40,6 +39,15 @@ public class ImageSharpMiddlewareOptions
                 c.Commands.Remove(ResizeWebProcessor.Height);
             }
 
+            float[] coordinates = c.Parser.ParseValue<float[]>(c.Commands.GetValueOrDefault(ResizeWebProcessor.Xy), c.Culture);
+
+            if (coordinates.Length != 2
+            || coordinates[1] < 0 || coordinates[1] > 1
+            || coordinates[0] < 0 || coordinates[0] > 1)
+            {
+                c.Commands.Remove(ResizeWebProcessor.Xy);
+            }
+
             return Task.CompletedTask;
         };