One case where you probably can't is for image uploads. You might think it would... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		throwaway_bad on Oct 7, 2019 \| parent \| context \| favorite \| on: Web Graphics Done Right One case where you probably can't is for image uploads. You might think it would be nice to allow a user to upload a svg for their avatar or something. But SVG can embed javascript which can lead to XSS: https://hackerone.com/reports/148853

pekim on Oct 7, 2019 | [–]

That's certainly something to be considered with user uploaded svg images. However it's reasonably straightforward to parse an svg and remove any script elements.

microcolonel on Oct 7, 2019 | [–]

You can safely use XSLT to subset SVG, and (for example) limit complexity. Scripts in SVGs do not load in img tags either.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact