SVG Allowlist for LWS

SVG can be targeted by cross-site scripting (XSS) attacks due to its permissive approach to loading and executing external resources. LWS applies SVG sanitization rules when it encounters potentially malicious content to prevent XSS attacks.

The SVG language includes an extensive list of elements that you can use inside the <svg> tag.

Here is a list of elements that LWS considers safe and allows to remain in an svg element after sanitization. LWS removes elements that aren’t in this list.

  • a, altglyph, altglyphdef, altglyphitem, animatecolor, animatemotion, animatetransform, audio
  • canvas, circle, clippath
  • defs, desc
  • ellipse
  • filter, font
  • g, glyph, glyphref
  • hkern
  • image
  • line, lineargradient
  • marker, mask, mpath
  • path, pattern, polygon, polyline
  • radialgradient, rect
  • stop, switch, symbol
  • text, textpath, title, tref, tspan
  • use
  • video, view, vkern

For example, this svg element contains a g element, which is allowed, and a script element, which isn’t allowed.

After sanitization, this code becomes: