HackerOne reported vulnerability: Cross-site Scripting (XSS) Vulnerability in SVG attachments
https://hackerone.com/reports/202082
SVG files can contain Javascript in <script>
tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for a SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.
https://www.grepular.com/Scalable_Vector_Graphics_and_XSS https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf