At this week’s meeting at OWASP Sweden, security researcher Mario Heiderich held a presentation about the security implications of SVG support in modern web browsers.
The immediate danger of this is that any site that allows a user to upload or link to an image may be open for cross site scripting attacks. For example, an attacker can upload an SVG file to Wikipedia and have its code executed in an unsuspecting victim’s browser. Or an attacker can just post a link to an SVG image on a forum. If the forum software links to images with the <img> tag, the users’ browsers will load the SVG and possibly execute the code. (Security measures have been added to avoid this, but according to Mario Heiderich they are easy to circumvent.)
My main takeaway from the presentation was that the <img> tag is not as harmless as it may seem after SVG support was added. You need to be careful with it!
Added March 11th: Here is Mario’s presentation about SVG. He also held a presentation about protecting against XSS with Object.defineProperty.