Comment by umvi
4 hours ago
SVGs have a lot of security landmines; it's simplest to just disallow them, especially if they are untrusted (user provided)
4 hours ago
SVGs have a lot of security landmines; it's simplest to just disallow them, especially if they are untrusted (user provided)
Definitely! In 2020, I reported an XSS vulnerability in GitLab using the onLoad attribute to run arbitrary JavaScript, and I was able to perform user actions without requiring any user interaction. For some reason it took them months to fix it after I reported it to them.