top | item 47137886

(no title)

pornel | 5 days ago

BTW, HTML allows inline SVG with an XML-flavored syntax that interprets <script/> and <title> differently. It's a goldmine for sanitizer escapes. There are completely bonkers syntax switching and error recovery rules that interact with parsing modes (there's even an edge case where a particular attribute value switches between HTML and XML-ish parsing rules).

Don't even try to allow inline <svg> from untrusted sources! (and then you still must sanitise any svg files you host)

discuss

kccqzy|5 days ago

If you just serve SVGs through <img> tag it’ll be much safer. I never understood the appeal of inline <svg> anyways.

lenkite|5 days ago

Inline SVG is stylable with CSS styles in the same HTML page.

rwj|5 days ago

Inline reduces round trips.