SVG XSS Defence Scenarios

I've been looking for a way to defend aginst XSS and other JavaScript being included in a malicious SVG file. Based on suggestions from friends, I've come up with a few scenarios which I've included here, if you have any other suggestions I can add to this list, please get in touch (

It has also been pointed out that if you need to allow untrusted SVG files to be served from your site that it is best to store and serve them from a different subdomain to prevent attacks against the main domain.

Lab created by Robin Wood - DigiNinja