April 27, 2026
Whack-a-mole with pictures
The Woes of Sanitizing SVGs
Scratch’s SVG mess has users split: lock it down or ditch it
TLDR: Scratch keeps patching dangerous image files (SVGs) that can run code or leak IPs, and the fixes keep breaking. Commenters split between “allow only simple shapes,” “stop inlining these files,” or “try a new format like TinyVG,” citing Google’s long-time no-SVG stance as proof this is hard.
Scratch, the kid-friendly coding site, keeps getting burned by “harmless” picture files that bite back. The article recounts a soap opera of fixes: in 2019, sneaky code ran from inside images; in 2020, creative casing and hidden tricks broke the patch; by 2022, images could quietly ping a website and grab your IP address. Each fix came with a hopeful “surely, now it’s safe,” and the community collectively eye-rolled. The mood? Peak “whack-a-mole.”
Commenters came ready with hot takes. One reader said this is exactly why Google Slides still won’t touch SVGs—15 years on—and everyone nodded like, yep, that tracks. Another proposed a truce: only allow the simple stuff—“just shapes, no magic.” That sparked a mini-meme about there being two kinds of SVGs: the cute drawings and the “clever dangerous stuff.” The subtext: stop trying to sanitize a tornado.
Then came the curiosity and the alternatives. People asked why Scratch ever has to shove these images into the page at all—apparently to measure sizes—and were stunned that a blink-and-you-miss-it insert can still cause trouble. Others begged for a safer format. One championed TinyVG, though it lacks animation. Jokes flew: “SVG stands for Seriously Vulnerable Graphics,” and “regex vs hackers” became the week’s meme. The verdict from the crowd: either lock it down to crayons-only or ditch it entirely.
Key Points
- •Scratch appends user-generated SVGs into the DOM to perform operations like bounding box measurement, creating security risk.
- •2019: SVG <script> tags executed on load, causing XSS; initial fix removed scripts via a regular expression.
- •2020: apple502j found XSS remained possible (CVE-2020-27428) via regex bypasses and inline event handlers; Scratch adopted DOMPurify.
- •Scratch Desktop’s XSS risk escalated to arbitrary code execution due to Electron’s Node.js integration; TurboWarp Desktop disabled this feature since v0.2.0 (March 2021).
- •2022: HTTP leak via <image> href triggered external requests; mitigated by DOMPurify hooks to remove remote URLs from href attributes.