A detailed history of SVG sanitization vulnerabilities in Scratch (the coding platform) from 2019 to 2026, covering XSS attacks, HTTP leaks via CSS @import, url(), image-set(), and CSS nesting bypass bugs. Each fix added more complexity to a custom sanitization pipeline, yet new bypasses kept emerging. The author argues this approach is fundamentally unsustainable and presents an alternative used in TurboWarp (a Scratch fork): sandboxing SVGs inside an iframe with a strict Content-Security-Policy, letting the browser enforce security rather than trying to out-parse every possible CSS trick. Two currently unfixed vulnerabilities are also disclosed, including one found by Claude Opus after publication.
Table of contents
2019: XSS via <script> tag2020: XSS via oversights in previous fix (CVE-2020-27428)2022: HTTP leak via <image> href2023: HTTP leak via CSS @import2024: XSS via Paper.js2025: HTTP leak via CSS url()2026: HTTP leak via several bugs in the previous code2026: Full page restyling via long transitions2026: HTTP leak via image-set()20XX: HTTP leak via new CSS featuresThis is unsustainableAn alternative2026-04-12: Claude finds HTTP leak via CSS nesting relaxed syntaxSort: