@simon right, an img tag sandboxes them. What I do for svgshare.com is both display them as img and also run the svg through python html5lib and remove any script elements. (I also inline it in the upload dialogue so anyone trying to xss me does it to themselves instead). The other approach is what feedparser does and whitelist svg and html elements.