Error uploading animated svg

Vigdis · February 2, 2026, 10:57am

I have…

Checked the logs and have uploaded a log file and provided a link because I found something suspicious there. Please do not post the log file in the topic because very often something important is missing.

I’m submitting a…

Regression (a behavior that stopped working in a new release)
Bug report
Performance issue
Documentation issue or request

Current behavior

When uploading certain animated SVG files to Squidex (Cloud), the upload fails with the following validation error:

“Validation error. The SVG is malicious and contains script tags.”

The SVG files are assets provided by third-party providers and are uploaded as-is, without any manual editing on our side.

Expected behavior

Valid SVG files that do not contain executable scripts should upload successfully, or Squidex should provide more detailed feedback about which SVG elements or attributes are being flagged.

Common SVG features such as masks, filters, and styles should not trigger a false-positive security error.

Minimal reproduction of the problem

Attempt to upload an SVG asset received from a third-party provider.
Squidex rejects the file with:
“Validation error. The SVG is malicious and contains script tags.”

Troubleshooting performed

Cleaned the SVG using SVGO (npx package) → upload still fails.
Gradually reduced the SVG by removing images, filters, and styles, leaving only basic structure and a mask → upload still fails.
Removing the element from a simplified version allows the file to upload.
Removing the from the original SVG with all assets present still results in the validation error.
Removed style blocks to avoid alternative style parsing → no change.
Tested both the original SVG and the SVGO-cleaned version with the same results.

This suggests the error is caused by a combination of SVG elements, rather than a single invalid or malicious tag.

Further removal of elements allows upload but breaks rendering, making manual sanitization impractical.

Environment

Self hosted with docker
Self hosted with IIS
Self hosted with other version
Cloud version

Version: [VERSION]

Browser:

Chrome (desktop)
Chrome (Android)
Chrome (iOS)
Firefox
Safari (desktop)
Safari (iOS)
IE
Edge

Others:
I can provide examples of the .svg files

Sebastian · February 4, 2026, 3:01pm

I would need the svg to check it. But squidex has a whitelist of properties and elements that are allowed and if anything is not in the list it is permitted.

Vigdis · February 4, 2026, 3:35pm

sent files in via gist.github in DM

Sebastian · February 4, 2026, 4:52pm

URLs can only start with https and http. No data urls are allowed at the moment.