| ▲ | staticassertion 12 hours ago | |
No, svgs can do `onload` and `onerror` and also reference other svgs that can themselves contain those things (base64'd or behind a URI). But you can use an `img` tag (`<img src="evil.svg">`) and that'll basically Just Work, or use a CSP. I wouldn't rely on sanitizing, but I'd still sanitize. | ||
| ▲ | collinmanderson an hour ago | parent [-] | |
> But you can use an `img` tag (`<img src="evil.svg">`) and that'll basically Just Work That doesn't help too much if evil.svg is hosted on the same domain (with default "Content-Type: image/svg+xml" header), because attacker can send a direct link to the file. | ||