safe svg

Handle SVG safely before publishing

SVG is powerful XML. Treat unknown SVG as untrusted input until it has been sanitized and reviewed.

Block executable features

Reject scripts, event handlers, foreignObject, and unsafe XML features.

Avoid external references

External images, fonts, and links can create privacy, security, and reliability problems.

Preview in isolation

Use sandboxed preview and CSP as defense-in-depth for SVG workflows.

Safe SVG example

A simple local SVG avoids scripts and external references.

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 160 96" role="img"><title>Check badge</title><rect width="160" height="96" rx="14" fill="#0e7c66"/><path d="M39 55l18 18 64-64" fill="none" stroke="white" stroke-width="10" stroke-linecap="round" stroke-linejoin="round"/></svg>

Safe SVG Guide FAQ

Can SVG contain JavaScript?

Yes. That is why untrusted SVG should be sanitized before preview or inline use.

Is CSP enough for SVG safety?

No. Use sanitization, validation, and sandboxed preview together.