Embedding Scalable Vector Graphics (SVG) can expose websites to code injection. This article explores how SVGs work, the risks they pose, and how to mitigate them.

For quite a while, I had the perception of Scalable Vector Graphics (SVG) being just that: an image that you could scale, due to the image elements being somehow semantically defined instead of pixel-by-pixel. While this intuition certainly isn’t wrong, it is not complete either. The differences do have security implications, which this blog post aims to highlight. Being an introductory blog post, we’ll stay on the surface and ignore more advanced attacks such as XML external entity injections or CSS exfiltration using SVG fonts.