Is SVG safe to use on websites? (from security point of view)
From security point of view, is SVG safe to use on websites?
Or JPG, PNG and WEBP is better when it comes to security safety?
I know that SVG is in text XML format and other formats are binary, is it better or worse when it comes to security of websites?
It depends on what do you want to do with SVG images.
When you want to:
- use them as static resources as styling elements, knowing SVG files source, it is safe.
- let upload them and use with
<img>HTML elements it is safe until someone will not upload SVG image with malicious source code as embedded JavaScript, and another one will copy it, placing into own source code. - let upload them and display as embedded into HTML structure, it may be not safe, if malicious source code as embedded JavaScript could be attached there.
Finally: It is necessary to filter SVGÂ image elements and attributes.
Â
From Wikipedia:
It is common to see SVG described as an image format, but it is actually a document format, similar to HTML documents, and so can host script or CSS. This is an issue when an attacker can upload a SVG file to a website, such as a profile picture, and the file is treated as a normal picture but contains malicious content. For instance, if an SVG file is deployed as a CSS background image, or a logo on some website, or in some image gallery, then when the image is loaded in a browser it activates a script or other content. This could lock up the browser (the Billion laughs attack), but could also lead to HTML injection and cross-site scripting attacks. The W3C therefore stipulate certain requirements when SVG is simply used for images: SVG Security.
The W3C says that Inline SVG (an SVG file loaded natively on a website) is considered less of a security risk because the content is part of a greater document, and so scripting and CSS would not be unexpected.