Potential threat of XSS

Hi,

My client is using Sucuri company for security, and uploading SVG is blocked by their Firewall. Sucuri told me there is some incorrect behavior during the action, that is potential threat of XSS,

“If you do a PCAP of that session, it should be fairly obvious to the developer why it looks like cross site scripting attack. If the request complies with OWASP best practice, we would not have blocked it.”

“If the developer finds some funky behaviour in the core file after doing a PCAP, they can raise an issue with WP bug tracker, I’d be suprised if it went anywhere, but if you pass me a link I will follow it.”

I know this plugin uses standard upload system of core WP, but WP does not allow to upload SVG out of the box. I don’t know if that is problem with the WP CORE or how it process SVG or the plugin.

If this is not the plugin problem, we may open issue in WP bug tracker since it sound dangerous, maybe it could be fixed someday ??