- From: Alex Inkin via GitHub <sysbot+gh@w3.org>
- Date: Mon, 01 Jul 2019 16:36:40 +0000
- To: public-svg-issues@w3.org
I'm not a security expert, I tried USE with external SVGs on the same domain and it seems that scripts are not run, neither event handlers like onclick trigger and other basic malicious scripting I could think of. I realize there is more danger there that I do not know about, but like I said, people currently work around this by simply requesting SVG source and inlining it into the page and I doubt many of them run it through DOMPurify or something. So even if it might be a not that safe practice, to achieve the same effect people most likely turn to an even more dangerous solutions. Glad to see it's not dismissed completely, hope you can think of something! -- GitHub Notification of comment by waterplea Please view or discuss this issue at https://github.com/w3c/svgwg/issues/707#issuecomment-507338795 using your GitHub account
Received on Monday, 1 July 2019 16:36:41 UTC