[Kiro]

Hm, how does this work? How can JavaScript be executed like that when it's included as an image?

[dpweb]

Curious about that too. If I load an svg in the address bar with embedded script I can show alert(), but linked into html using <img> tag, alert does not run. Sandboxed? Otherwise I could execute JS just by loading in using svg via <img>.

[hughes]

Looks like it's not sandboxed at all?

> Any functions defined within any script element have a global scope across the entire current document.

[0] https://developer.mozilla.org/en-US/docs/Web/SVG/Element/scr...

[spb]

As images / targets, SVG documents have their own global scope, much like a page in an iframe.