Block executable features
Reject scripts, event handlers, foreignObject, and unsafe XML features.
safe svg
SVG is powerful XML. Treat unknown SVG as untrusted input until it has been sanitized and reviewed.
Reject scripts, event handlers, foreignObject, and unsafe XML features.
External images, fonts, and links can create privacy, security, and reliability problems.
Use sandboxed preview and CSP as defense-in-depth for SVG workflows.
A simple local SVG avoids scripts and external references.
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 160 96" role="img"><title>Check badge</title><rect width="160" height="96" rx="14" fill="#0e7c66"/><path d="M39 55l18 18 64-64" fill="none" stroke="white" stroke-width="10" stroke-linecap="round" stroke-linejoin="round"/></svg>
Yes. That is why untrusted SVG should be sanitized before preview or inline use.
No. Use sanitization, validation, and sandboxed preview together.