XSS vs SVG Attacks: Pros, Cons, and Real Risks
Cross-site scripting gets most of the attention, but SVG-based attacks keep showing up in bug bounty reports, file upload flaws, and chat apps that “support rich images.” If you build web apps, you should treat SVG as part image, part document, part script container, and part footgun. The tricky part is that XSS and SVG attacks are not competing categories. SVG attacks often become XSS. That overlap is exactly why teams underestimate them. ...