Hacker News new | comments | ask | show | jobs | submit login

I see a big security problem with SVG: browsers allow executing scripts in SVG files in site security context, so you have to check for a lot of script execution vectors in SVG before you allow uploading user files.



my understanding is that svg in <img> is safe but prevents script execution

svg in iframe + srcdoc + sandbox gives you sortof-inline svg with separate security contexts.

only plain inlined svg should be a security risk.

If you host SVG file on the same domain as the main site, I can give a direct link to the SVG file and your browser will execute arbitrary JavaScript in that context.

I think in that case setting the CSP sandbox header to "allow-scripts" would have the same effect as the iframe sandbox attribute and allow script execution in the SVG but prevent same-origin access and various other things.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact