SVG XSS

SVG XSS exploits the fact that SVG (Scalable Vector Graphics) files are XML-based and can contain embedded JavaScript. When SVG content is rendered inline or served without proper content-type restrictions, attackers can execute malicious scripts.

How It Works

SVG supports various event handlers and even script tags. If an application allows SVG uploads or inline SVG content from users without proper sanitization, attackers can inject JavaScript that executes when the SVG is rendered.

Example

Malicious SVG file:

<svg xmlns="http://www.w3.org/2000/svg">
  <script>alert(document.cookie)</script>
</svg>

// Or using event handlers:
<svg xmlns="http://www.w3.org/2000/svg">
  <rect width="100" height="100" onmouseover="alert(1)"/>
</svg>

// Using foreignObject for HTML injection:
<svg>
  <foreignObject>
    <iframe srcdoc="<script>alert(1)</script>"></iframe>
  </foreignObject>
</svg>

Attack Vectors

• SVG file uploads served with wrong content-type
• Inline SVG from user content
• SVG in <img> tags (scripts blocked) vs <object>/<embed>
• SVG as CSS background-image (limited)

Prevention

• Sanitize SVG content, removing script tags and event handlers
• Serve uploaded SVGs with Content-Type: image/svg+xml and Content-Disposition: attachment
• Use CSP to restrict script execution
• Consider converting SVG to PNG on upload

See Also

• Stored XSS
• Content Security Policy (CSP)