SVG Allowlist for Lightning Web Security

SVG can be targeted by cross-site scripting (XSS) attacks due to its permissive approach to loading and executing external resources. To prevent XSS attacks, Lightning Web Security (LWS) applies SVG sanitization rules when it encounters potentially malicious content.

LWS doesn't sanitize input text. Your code must validate or sanitize any user input.

The SVG language includes an extensive list of elements that you can use inside the <svg> tag.

Here is a list of elements that LWS considers safe and allows to remain in an svg element after sanitization. LWS removes elements that aren’t in this list.

a, altglyph, altglyphdef, altglyphitem, animatecolor, animatemotion, animatetransform, audio
canvas, circle, clippath
defs, desc
ellipse
filter, font
g, glyph, glyphref
hkern
image
line, lineargradient
marker, mask, mpath
path, pattern, polygon, polyline
radialgradient, rect
stop, switch, symbol
text, textpath, title, tref, tspan
use
video, view, vkern

For example, this svg element contains a g element, which is allowed, and a script element, which isn’t allowed.

After sanitization, this code becomes:

See Also

How LWS Sanitizes Static Resources in SVG Elements