I've been looking for a way to defend aginst XSS and other JavaScript being included in a malicious SVG file. Based on suggestions from friends, I've come up with a few scenarios which I've included here, if you have any other suggestions I can add to this list, please get in touch (robin@digi.ninja).
inkscape --file="xss.svg" --verb="FileVacuum" --export-plain-svg="sanitised.svg"
It was expected that this would remove the JavaScript but it did not.
It has also been pointed out that if you need to allow untrusted SVG files to be served from your site that it is best to store and serve them from a different subdomain to prevent attacks against the main domain.
Lab created by Robin Wood - DigiNinja