SVG security checklist for untrusted files
SVG is XML with rendering and scripting capabilities, not a passive bitmap. Treat an unknown SVG as active content until it has been inspected and sanitized.
Inspect active content
Look for script elements, event-handler attributes, foreignObject, animation, links, and style rules that can trigger external behavior. Removing one script tag is not enough if other active mechanisms remain.
Review external references
Images, fonts, filters, CSS, and links can reference remote URLs or local fragments. Decide whether every reference is necessary, then remove or inline resources that should not contact another origin.
Choose a safe embedding method
An SVG loaded as an image has different capabilities from inline SVG or an object element. Use the least-privileged embedding method that supports the required appearance and interaction.
Sanitize and verify
Use a maintained sanitizer or a clearly defined allowlist for production uploads. Render the cleaned result in an isolated environment, compare its appearance, and apply a restrictive Content Security Policy where possible.