All SVG files introduced or altered in pull requests are scanned by an SVG scanner maintained currently by VIP. The scanner will flag any non-whitelisted attributes or tags and report them in the automated code review by the VIP Code Analysis Bot.
SVG files are not regular images, but rather XML files that can contain valid XML markup and even HTML markup, some of which can cause potential security issues such as:
<iframe>elements that can refer to external content of any kind.
- An SVG can also reference an external SVG, meaning that it is embedded in the former SVG file.
The Bot enables analysis of SVG files by default to look for any attributes that relate to security risks. VIP recommends that all SVG feedback is carefully evaluated. Mozilla’s MDN Web Docs contain useful information on SVG elements and attributes, their purpose, and how they are used in SVG files. VIP recommends using these to evaluate risks from attributes and elements noted by the Bot.