Editing SVG (section)

== Security ==

As a document format, similar to HTML documents, SVG can host scripts or CSS. This is an issue when an attacker can upload a SVG file to a website, such as a profile picture, and the file is treated as a normal picture but contains malicious content.<ref>{{Cite web|url=https://www.fortinet.com/blog/threat-research/scalable-vector-graphics-attack-surface-anatomy|title=Anatomy of Scalable Vector Graphics (SVG) Attack Surface on the Web|first=Thanh Nguyen|last=Nguyen|date=7 November 2019|website=Fortinet Blog|access-date=21 February 2023|archive-date=21 February 2023|archive-url=https://web.archive.org/web/20230221155554/https://www.fortinet.com/blog/threat-research/scalable-vector-graphics-attack-surface-anatomy|url-status=live}}</ref> For instance, if an SVG file is deployed as a CSS background image, or a logo on some website, or in some image gallery, then when the image is loaded in a browser it activates a script or other content. This could lock up the browser (the [[Billion laughs attack]]), but could also lead to [[Code injection|HTML injection]] and [[cross-site scripting]] attacks. The W3C therefore stipulate certain requirements when SVG is simply used for images: SVG Security.<ref name="auto">{{Cite web|url=https://www.w3.org/wiki/SVG_Security|title=SVG Security - W3C Wiki|website=W3C|access-date=21 February 2023|archive-date=21 February 2023|archive-url=https://web.archive.org/web/20230221155554/https://www.w3.org/wiki/SVG_Security|url-status=live}}</ref>

The W3C says that Inline SVG (an SVG file loaded natively on a website) is considered less of a security risk because the content is part of a greater document, and so scripting and CSS would not be unexpected.<ref name="auto"/>