Not necessarily; think sites like pixabay, where you can upload SVG files for people to use for free on their website. You can just add a <script> tag and everybody foolish enough to just copy-paste the SVG-file into the website will unknowingly introduce someone elses code that way.
In conclusion, always inspect SVG graphics before using them (and then grep for script anyways)
Also I do believe there's people out there dumb enough to accept user-submitted SVG and just embed that on their website, like, for profile pages and such.
By the way, is there any list for specific things to consider here? like, what should one even grep for? script, onclick, etc. and specially things that normal HTML sanitizers might miss
Not necessarily; think sites like pixabay, where you can upload SVG files for people to use for free on their website. You can just add a
<script>
tag and everybody foolish enough to just copy-paste the SVG-file into the website will unknowingly introduce someone elses code that way.In conclusion, always inspect SVG graphics before using them (and then grep for
script
anyways)Also I do believe there's people out there dumb enough to accept user-submitted SVG and just embed that on their website, like, for profile pages and such.
By the way, is there any list for specific things to consider here? like, what should one even grep for?
script
,onclick
, etc. and specially things that normal HTML sanitizers might missYes I agree about copy and paste, it is dangerous. Well script tag and event handlers both are bad equally.
Also referencing third party scripts can enable user tracking.
@darkwiiplayer - Agreed on all points. I did come across this XSS "cheat sheet" of event handlers one should watch out for (filter by "SVG"):
portswigger.net/web-security/cross...
There are some sneaky ones like "onunload", "onpointerover", etc.