[KevinMarks]For svgshare.com I parse with html5lib and remove all script tags (I also only use img on the site, except for the upload dialogue, so anyone who uploads a script exploit only hacks themselves)
[jacky]also would that mean that parsers that support embedded SVGs _should_ parse it under SVGTiny? I know there's no recommendation on sanitizing HTML in the mf spec
[tantek]jacky, that's a very good suggestion if I understand you correctly, to make that explicit in the mf2 parsing spec ("[mf2] parsers that support embedded SVGs _should_ parse it under SVGTiny") — can you file an issue for that? https://github.com/microformats/microformats2-parsing/issues/
btremISTM that it is up to consumers to take precautions. So maybe parsing rules should provide a general warning about republishing e.g. `h-entry`, with suggestions on how to reduce the dangers.
[tantek]the idea is that parsing with/for SVGTiny is at least *a* defined method for SVG sanitization, whereas HTML sanitization is still very much custom design/code.
btremre: my Firefox comment: the image was disappearing in a specific set of markup and css. Probably not a bug, since I saw the same effect in Firefox and Chromium. In any case, it was completely unrelated to `u-logo`.