Hacker News new | ask | show | jobs
by lmm 24 days ago
If you trust your browser it's fine, and if you don't then both CSS and SVG are significantly more risky.
3 comments
margalabargala 24 days ago
This isn't true at all.

Anything SVG does maliciously, it does by containing JavaScript, so SVG's worst case is a subset of JS's.

link
fc417fc802 24 days ago
Remind me again what the ratio of browser sandbox escapes coupled with full RCE is between JS, CSS, and SVG?
link
sysguest 24 days ago
> then both CSS and SVG are significantly more risky.

how???

link