alt Hacker NewsAll SVGs should be properly sanitized going into a backend and out of it and when rendered on a page.
Do you allow SVGs to be uploaded anywhere on your site? This is a PSA that you're probably at risk unless you can find the few hundred lines of code doing the sanitization.
Note to Ruby on Rails developers, your active storage uploaded SVGs are not sanitized by default.
Replies
It would be better if they were sanitized by design and could not contain scripts and CSS. For interactive pictures, one could simply use HTML with inline SVG and scripts.
GitLab has some code in their repo if you want to see how to do it.
Sanitisation is a tricky process, it can be real easy for something to slip through the cracks.
just run them through `svgo` and get the benefits of smaller filesizes as well
Is there SVG sanitization code which has been formally proven correct and itself free of security vulnerabilities?