An SVG file is basically a chunk of text in XML format which describes an image. Here is a simple example of a 50x50 pixel green triangle:
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg>
If you’re using a browser which supports SVG, ie pretty much any recent version of a modern browser other than IE, here is what the above XML looks like when the browser renders it:
Inside the above XML, you could use script tags in exactly the same way you would with HTML. Eg:
Fortunately, it is not possible to display an SVG by using a simple HTML tag. You have to use an iframe, or the embed or object tags.
Don’t allow SVG
Allow SVG submissions but don’t display them, just allow them to be downloaded
Strip out dangerous stuff from the SVG before displaying. (Be careful to catch everything)
Convert to a different image format before displaying, eg PNG or JPEG.