← Back to context

Comment by pcthrowaway

6 days ago

SVG is XML-based, unlike HTML which follows the SGML spec

From curling the malicious page you can also see:

    <?xml version="1.0" encoding="UTF-8"?>
        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1000" height="1000">

1 comment

pcthrowaway

Reply
nneonneo  5 days ago

Yes, SVGs are XML-based and may be vulnerable to generic XML-based XML external entity (XXE) or exponential entity expansion attacks, but this particular malicious SVG is using SVG-specific features to create the resource exhaustion.