James Endicott on Nostr: There are a couple solutions to that. If, instead of directly including the source in ...
There are a couple solutions to that. If, instead of directly including the source in an `<svg>` or `<object>` you put it in an `<img src="foo.svg" />' it won't execute any embedded JS but that also costs it any interactivity even from stuff like `:hover`.
Also, it sounds like it's just Chrome that allows unrestricted Javascript shenanigans. Firefox, theoretically, discards `<script>` tags in SVG but my source on that claim is old so it might not be true anymore.
I just hate that the solution to this problem that we're all supposed to go along with is the `<canvas>` element with associated APIs. I have to imagine that it's less safe to allow users to upload JS or WASM directly than it is to risk that they might sneak JS into an SVG.
Also, it sounds like it's just Chrome that allows unrestricted Javascript shenanigans. Firefox, theoretically, discards `<script>` tags in SVG but my source on that claim is old so it might not be true anymore.
I just hate that the solution to this problem that we're all supposed to go along with is the `<canvas>` element with associated APIs. I have to imagine that it's less safe to allow users to upload JS or WASM directly than it is to risk that they might sneak JS into an SVG.