I love SVG. I use it extensively for my online game.
Wouldn't an iframe limit the SVG's scripts to within the iframe sandbox? It shouldn't be able to cross over into the main document.
As an image tag it'd be completely separated as well.
I doubt any sites inject user SVG directly into their web pages. I do that for my game and had no end of problems with it. For the most part SVG's just won't work that way unless you significantly alter them.
My point is definitely not discouraging the use of SVGs! They're great however I wanted to point out how they can be exploited.
The iframe would have to have a source that is different than the parent domain - if so then the child SVG JS wouldn't be able to access the parent content due to CORS restrictions.
But there unfortunately have been cases where untrusted SVGs are being embedded on sites that have caused harm. Check out all the reports here: google.com/search?q=svg%20xss%20at...
I use SVGs all the time for their advantages but wanted to bring attention to this capability they have since an awareness of it can prevent major attacks.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I love SVG. I use it extensively for my online game.
Wouldn't an iframe limit the SVG's scripts to within the iframe sandbox? It shouldn't be able to cross over into the main document.
As an image tag it'd be completely separated as well.
I doubt any sites inject user SVG directly into their web pages. I do that for my game and had no end of problems with it. For the most part SVG's just won't work that way unless you significantly alter them.
My point is definitely not discouraging the use of SVGs! They're great however I wanted to point out how they can be exploited.
The iframe would have to have a source that is different than the parent domain - if so then the child SVG JS wouldn't be able to access the parent content due to CORS restrictions.
But there unfortunately have been cases where untrusted SVGs are being embedded on sites that have caused harm. Check out all the reports here: google.com/search?q=svg%20xss%20at...
I use SVGs all the time for their advantages but wanted to bring attention to this capability they have since an awareness of it can prevent major attacks.