(jon.recoil.org)

281 points sadiq | 3 comments | 11 Dec 25 19:25 UTC | HN request time: 0.789s | source

1. felineflock ◴[12 Dec 25 02:03 UTC] No.46240040[source]▶

>>46235959 (OP) #

"SVG Considered Harmful"

https://www.cloudflare.com/cloudforce-one/research/svgs-the-...

replies(2): >>46240219 #>>46242207 #

2. perilunar ◴[12 Dec 25 02:29 UTC] No.46240219[source]▶

>>46240040 (TP) #

"Since SVGs are essentially code, they can embed JavaScript"

Odd thing to say. Everything on a computer is "essentially code", executable or not.

3. tomalbrc ◴[12 Dec 25 08:57 UTC] No.46242207[source]▶

>>46240040 (TP) #

First off, what kind of SVG reader does cloudflare assume to just open SVGs and Willy nilly run contained js? Is that a windows os feature? Second, do they not know about Content Security Policies?

And as a side note: Cloudflare itself is considered harmful

↑

An SVG is all you need