First off, what kind of SVG reader does cloudflare assume to just open SVGs and Willy nilly run contained js? Is that a windows os feature?
Second, do they not know about Content Security Policies?
And as a side note: Cloudflare itself is considered harmful