Mario Gomes reported to mozilla an svg xss:
https://bugzilla.mozilla.org/show_bug.cgi?id=966734
This is triggered using an iframe with a srcdoc and xhtml namespace.
We can easily forbid svg files with iframes. I can't tell if it's an oversight that we allow those, or if we made the decision to allow them for some reason. I'll pull down some of the more recent svg uploads and see if embedded iframes are common.
Version: unspecified
Severity: normal