SVG security
Remove script from SVG files locally
Remove script from SVG files before you paste markup into a website, React app, CMS, or design workflow.
SVG is XML, which means an SVG file can contain more than paths and shapes. If the source is unknown, clean the SVG before using it in a page or component.
What to remove from an unsafe SVG
Start by removing script tags, inline event attributes such as onclick or onload, javascript: links, external references you do not trust, embedded HTML, and unsupported tags. These items can create security problems or make the file harder to render consistently.
Why script removal is not the whole cleanup
A script tag is the obvious problem, but SVG cleanup should also check links, event handlers, foreignObject, animation, and metadata. The safest workflow is to clean the file, preview the output, then inspect the markup before shipping important artwork.
When to be extra careful
Treat SVG files from email, uploads, unknown icon packs, or user-generated content as untrusted. If users can upload SVG to your own product, use server-side validation and a strict allowlist. A browser cleaner helps with one-off files, but it is not a full upload security system.
Common questions
Can I remove script from SVG locally?
Yes. PDFSVG's SVG cleaner runs in the browser and removes script tags, event handlers, unsafe links, and unsupported markup without uploading the SVG.
Are SVG files dangerous?
SVG files are not automatically dangerous, but SVG is code-like markup. Files from unknown sources can contain scripts, event handlers, external references, or embedded HTML that should be removed before use.
Is script removal enough for user-uploaded SVG?
No. User-uploaded SVG needs server-side validation, strict allowlists, safe hosting rules, and careful rendering. A local cleaner is useful for manual cleanup, not a complete upload security policy.