DigiNews

Summary

The post traces Scratch's long history of SVG-related vulnerabilities, showing how SVGs can introduce XSS and data-exfiltration risks despite sanitization efforts. It covers major incidents from 2019 to 2026, discusses how sanitizers like regex-based removals and DOMPurify were bypassed, and explains the pivot to a sandboxed iframe approach as a more robust defense. It also notes AI-assisted discovery of vulnerabilities (Claude) and ongoing parsing challenges with css-tree, plus an alternative path explored by TurboWarp that isolates SVGs in a sandbox with CSP. The piece concludes that sanitization alone is unsustainable and future-proofing will require layered protections and browser-assisted security.