Skip to content

Backgrounds

How-to Guides

Technical References

VIP Code Analysis Bot /

SVG analysis

All SVG files introduced or altered in pull requests are scanned by an SVG scanner maintained currently by VIP. The scanner will flag any non-whitelisted attributes or tags and report them in the automated code review by the VIP Code Analysis Bot

SVG files are not regular images, but rather XML files that can contain valid XML markup and even HTML markup, some of which can cause potential security issues such as: 

  • Allowed <iframe> elements that can refer to external content of any kind.
  • Allowed <script> tags, a valid part of SVG markup, that can embed JavaScript of any kind.
  • An SVG can also reference an external SVG, meaning that it is embedded in the former SVG file.

The Bot enables analysis of SVG files by default to look for any attributes that relate to security risks. VIP recommends that all SVG feedback is carefully evaluated. Mozilla’s MDN Web Docs contain useful information on SVG elements and attributes, their purpose, and how they are used in SVG files. VIP recommends using these to evaluate risks from attributes and elements noted by the Bot.

Last updated: October 07, 2021