The Evil SVG Project
The purpose of this article is to provide a repeatable means to performing cross-site scripting attacks via a SVG file. SVG, otherwise known as “scalable vector graphics” in which a XML document used to build an image.
The above code generates the following image:
Which after loading the SVG within a browser results in XSS.
Take for example the following code:
With all of this in mind, seriously consider limiting or blocking SVGs from being uploaded. More often than not, developers have overlooked SVG as a potential threat vector and allow profile picture upload of malicious SVG files.
Additionally, if you are familiar with XXE attacks, this can also be used for that attack vector in some circumstances. If you aren’t already scanning uploads regardless of their extension or mime type, it might be time to change that.
Long story short, if you can pop XSS within a SVG you can do pretty much anything up to and including store malicious JS, malicious XML or malicious HTML in-line.