Email or username:

Password:

Forgot your password?
Top-level
Simon Willison

... and it looks like that means I can do an img tag with an src that points to a base64 encoded SVG object and any nasty JavaScript etc will be disabled for me - here's an example which seems to demonstrate that working gistpreview.github.io/?03f0076

Screenshot showing three SVG examples demonstrating base64 embedding. Contains heading "SVG Base64 Embedding Demo" followed by three panels: 1) "Simple Sun SVG" showing a yellow circle with rays, labeled "A basic sun shape with rays" 2) "Pelican SVG" showing a gray stylized bird shape, labeled "A stylized pelican shape" 3) "SVG with JavaScript (ignored)" showing a pink square with text "JS Ignored", labeled "SVG with JavaScript that gets ignored when embedded as an image". Footer note states "When SVGs are embedded using img tags with base64 data URIs, any JavaScript or interactive elements are safely ignored by the browser."
1 comment
Kevin Marks

@simon right, an img tag sandboxes them. What I do for svgshare.com is both display them as img and also run the svg through python html5lib and remove any script elements. (I also inline it in the upload dialogue so anyone trying to xss me does it to themselves instead). The other approach is what feedparser does and whitelist svg and html elements.

Go Up