BTW, HTML allows inline SVG with an XML-flavored syntax that interprets <script/> and <title> differently. It's a goldmine for sanitizer escapes. There are completely bonkers syntax switching and error recovery rules that interact with parsing modes (there's even an edge case where a particular attribute value switches between HTML and XML-ish parsing rules).

Don't even try to allow inline <svg> from untrusted sources! (and then you still must sanitise any svg files you host)

▲

kccqzy 10 hours ago | parent [-]

If you just serve SVGs through <img> tag it’ll be much safer. I never understood the appeal of inline <svg> anyways.

▲

lenkite 8 hours ago | parent | next [-]

Inline SVG is stylable with CSS styles in the same HTML page.

	▲	runarberg 7 hours ago \| parent [-]
		Also animatible with the same context (Animation API, etc.) as the parent page, so different SVGs can influence each other’s animations.

▲

rwj 9 hours ago | parent | prev [-]

Inline reduces round trips.

	▲	toast0 8 hours ago \| parent [-]
		You can use img with a data url?