Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

When you load an SVG file as an image, JavaScript is not executed, but SMIL animations and CSS (which includes animations) are.

If you open the SVG file directly, then JavaScript will be executed. But any hosting platforms that hosts your content on their domain should filter out any JavaScript on SVG as it would on HTML.



> But any hosting platforms that hosts your content on their domain should filter out any JavaScript on SVG as it would on HTML.

That's definitely not a thing that happens. Web servers just serve the file as-is.


The point is they either need to filter the served content, or serve it from a different domain (e.g. githubusercontent.com), otherwise you have XSS-like problems.


My understanding is that things like this are one of the reasons GitHub moved GitHub Pages subdomains from github.com to github.io.


GitHub raw endpoints do it. They will either serve the SVG without an image/svg+xml Content-Type, making it not render in the browser, or you have to append ?sanitize=true to the URL which will, as the name suggest, sanitize it.


ok but that is github...parent poster stated its common to do that...it is not.


It's web security 101 for handling user uploads. (although in the case of SVG most sites solve it by just not accepting "weird" formats like SVG)


See https://news.ycombinator.com/item?id=25350248




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: