TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Lobsters — security tag

The woes of sanitizing SVGs

muffin.ink via Teckla · 2026-04-27 · Read original ↗

ATT&CK techniques detected

10 predictions
T1027.017SVG Smuggling
84%
“library scratch uses in the costume editor. it turns out that while scratch sanitized svgs before working on them in scratch - svg - renderer, unsanitized svgs were still being passed to paper. js. this has largely the same impact as the 2020 scratch - svg - renderer xss, but occ…”
T1027.017SVG Smuggling
81%
“the woes of sanitizing svgs scratch has a long history of svg - related vulnerabilities. the source of these is that scratch parses user - generated ( ie. attacker - controlled ) content into an < svg > element and appends it into the main document for various operations ( eg. me…”
T1027.017SVG Smuggling
80%
“/ svg " xmlns : xlink = " http : / / www. w3. org / 1999 / xlink " > < foreignobject x = " 1 " y = " 1 " width = " 1 " height = " 1 " > < img xmlns = " http : / / www. w3. org / 1999 / xhtml " src = " data : any invalid url " onerror = " alert ( 1 ) " / > < / foreignobject > < / …”
T1027.017SVG Smuggling
79%
“using url ( ), an attacker can use image - set ( ) to create an svg that will invoke an external request when it is loaded. examples : < svg xmlns = " http : / / www. w3. org / 2000 / svg " > <! - - image - set (... ) can cause external resources to be requested without using url…”
T1027.017SVG Smuggling
71%
“be executed when the svg loads. this is known as an xss. in scratch terms, an xss allows an attacker to take actions on behalf of anyone that loads their project. for example, the attacker can post comments, delete projects, or otherwise try to take over the victim ' s account. i…”
T1027.017SVG Smuggling
63%
“( ) or image ( ) to create an svg that will invoke an external request when it is loaded. examples : < svg xmlns = " http : / / www. w3. org / 2000 / svg " > <! - - everything in this file relies on features that are defined in the browser specs, but not yet implemented in any br…”
T1027.017SVG Smuggling
62%
“- color : yellow! important ; color : black! important ; border : 10px solid red! important ; transform : scale ( 1. 1 )! important ; } < / style > < / svg > i won ' t pretend to fully understand what ' s going on here or why it works non - deterministically, but my general under…”
T1027.017SVG Smuggling
60%
“< / foreignobject > < / svg > this was somewhat fixed on an extremely delayed timeline by extending the existing svg sanitization code to run when loading an svg, not just when processing it in scratch - svg - renderer. this means that paper. js will only receive svgs that have a…”
T1027.017SVG Smuggling
50%
“( https : / / example. com / ping ) 1x ) ; } < / style > < rect class = " image - set - with - inner - url - function " > < / rect > <! - - image - set ( ) can also be used in inline style attributes. - - > < rect style = " background - image : image - set ( ' https : / / example…”
T1027.017SVG Smuggling
33%
“##warp ( a scratch fork i work on ) was unaffected by the 2026 http leaks and full page restyling issue. this isn ' t because i found all the clever ways for an svg to do something bad ; in fact i actually deleted the css sanitization code entirely to make packaged projects 400kb…”

Summary

Comments