I have a few projects where allowing users to upload SVG files like other image types would be useful, but SVGs can contain javascript, so allowing straight SVGs is an XSS vulnerability. I don't know what the correct way is to strip javascript out of SVG files. There must be some library which can parse an SVG, keep only whitelisted non-Javascript-containing properties, and write out the file again, but I can't find it. (What does Wikipedia use?)
I don't think the idea is that the sanitization happens on the client when they submit content. The client can do the sanitization when they view content. Often it will make sense for the server to do it, but sometimes not. Imagine you're writing an email client web app against someone else's API, and their API gives you the raw html of email messages that people have sent to you. Then it's the client's job to sanitize that HTML for rendering.
Also you can run that library on the server with node.
I think his concern is- since the security program would need to run on the attacker's computer, the attacker may simply opt not to use it, circumvent it. That being said, I don't see why it can't be used to sanitize requests to the server.
Well, if you are worried about xss, that is a case of an attacker's code running on a victim's machine. If they process svgs through the lib before adding them to the dom, that would be one way to prevent the xss attack. This seems to be what DOMPurify are suggesting based on their documentation.
You're right it's the publishing platform, but it is also my laziness. I don't know if it's the Wordpress theme I'm using or the SVG plugin I tried, but I have yet to get fluent at using SVG in this Wordpress blog: ironically it seemed to work fine on desktop but didn't resize well on mobile. I'll give it another try.
