SVG Allowlist for LWS
SVG can be targeted by cross-site scripting (XSS) attacks due to its permissive approach to loading and executing external resources. LWS applies SVG sanitization rules when it encounters potentially malicious content to prevent XSS attacks.
The SVG language includes an extensive list of elements that you can use inside the
Here is a list of elements that LWS considers safe and allows to remain in an
svg element after sanitization. LWS removes elements that aren’t in this list.
a, altglyph, altglyphdef, altglyphitem, animatecolor, animatemotion, animatetransform, audio
canvas, circle, clippath
g, glyph, glyphref
marker, mask, mpath
path, pattern, polygon, polyline
stop, switch, symbol
text, textpath, title, tref, tspan
video, view, vkern
For example, this
svg element contains a
g element, which is allowed, and a
script element, which isn’t allowed.
After sanitization, this code becomes: