Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There’s nothing to report. For all intents and purposes SVG files are treated exactly like images. All interactivity and even the ability to load other resources is disabled.

FYI millions of readmes have had SVG badges for years.



Pretty sure they're just making a joke that a lot of bug bounty programs get tons of bullshit reports from security "researchers" who don't understand what they're doing. They're not actually claiming there's a legitimate issue.


There are SVGs which will crash most browsers, so SVGs could still be abused for denial-of-service attacks.

For example, you could post one of those SVGs in every issue thread of a GitHub project if you wanted to mess with someone.

Not eligible for a bug bounty though since this issue has been known (but not fixed) for years.


I'm not sure that's true.

For example, what happens when you right-click "View image" on an svg file? Does embedded JS get run in that case?


> For example, what happens when you right-click "View image" on an svg file? Does embedded JS get run in that case?

Servers can use CSP http headers to disable javascript execution completely AFAIK. Obviously older browsers like IE that do not support CSP will be vulnerable, but at that point, IE should be simply banned by Webservers, for the sake of the user.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: