Skip to content

SVG analysis

All SVG files introduced or altered in pull requests are scanned by an SVG scanner maintained by VIP. The scanner will flag any non-whitelisted attributes or tags and report them in the automated code review by the VIP Code Analysis Bot

The Bot enables analysis of SVG files by default to look for any attributes related to security risks. SVG files are not regular images, but rather XML files that can contain valid XML markup and even HTML markup, some of which can cause potential security issues such as: 

  • Allowed <iframe> elements that can refer to external content.
  • Allowed <script> tags, a valid part of SVG markup, that can embed JavaScript.
  • An SVG can also reference an external SVG, which is embedded in the former SVG file.

VIP recommends that all SVG attributes and elements noted by the Bot are carefully evaluated using Mozilla’s MDN Web Docs on SVG elements and attributes, their purpose, and how they are used in SVG files.

Last updated: November 29, 2022