| ▲ | collinmanderson 3 hours ago | |
> But you can use an `img` tag (`<img src="evil.svg">`) and that'll basically Just Work That doesn't help too much if evil.svg is hosted on the same domain (with default "Content-Type: image/svg+xml" header), because attacker can send a direct link to the file. | ||
| ▲ | GoblinSlayer 29 minutes ago | parent [-] | |
Reddit horribly breaks direct links to images and serves html instead. | ||