SVG is XML-based, unlike HTML which follows the SGML spec From curling the malic... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pcthrowaway 5 months ago \| parent \| context \| favorite \| on: SVGs that feel like GIFs SVG is XML-based, unlike HTML which follows the SGML spec From curling the malicious page you can also see: `<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1000" height="1000">`

nneonneo 5 months ago [–]

Yes, SVGs are XML-based and may be vulnerable to generic XML-based XML external entity (XXE) or exponential entity expansion attacks, but this particular malicious SVG is using SVG-specific features to create the resource exhaustion.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact