SVG and XSS

This page demonstrates that SVG files can behave differently depending on how they are embedded or opened.

Embedded as an SVG document

The SVG below is loaded using <object>. This treats the SVG as a document, not just as an image.

Link to a SVG document

Opening the SVG directly may also allow script inside the SVG to run.