0

I don't know very details about SVG standard and it's extensions. But, I've have read, that SVG images can execute some scripts.

Is it safe to display any (user uploaded) SVG image on site?

kravemir
  • 10,636
  • 17
  • 64
  • 111

1 Answers1

4

It should be safe as long as you load them as an <img>. That includes equivalent uses such as with background-image. But not safe when inlined, or loaded via <object> etc.

The browser follows special rules when SVG images are loaded this way. For example, the SVG must be self-contained (ie. no external resources), scripts will not be executed, and :visited style rules will not be applied.

See: https://www.w3.org/wiki/SVG_Security

Paul LeBeau
  • 97,474
  • 9
  • 154
  • 181
  • What if SVG is loaded using base64 encoded data inside `src` of the `img` tag? For example: ``. Is it still safe? – kravemir Nov 29 '17 at 14:59
  • It doesn't matter what the source of the SVG data is. The same rules apply. – Paul LeBeau Nov 30 '17 at 07:28
  • Thank you for the answer. So, SVG can contain malicious content. And, it depends on browser, whether it respects SVG Security. Therefore, rather don't count on that. – kravemir Nov 30 '17 at 09:22
  • SVG has the ` – Paul LeBeau Nov 30 '17 at 11:16