I ran into a discussion on Stack Overflow in this topic:
http://stackoverflow.com/q/30952737/1729885, regarding embedding the following
code snippet in an HTML document:
<svg><script>alert(1)</script></svg>
The character references translate to "alert(1)". I have confirmed that, in all
the latest versions of IE, Chrome and Firefox, this code is executed, whilst it
is not if the <svg> container is omitted. I neither think this is intentional
nor wanted behavior, as HTML5 explicitly defines a separate script parsing mode
which handles character references as plain text.
HTML5 however also explicitly defines that "the semantics of SVG elements are
defined by the SVG specification", and SVG also defines the script element,
without the script parsing mode (as it is XML itself it would be impossible nor
necessary to enforce that). Therefore it seems that all browsers are correct in
executing this code in this context, according to current standards. It does
leave a potentially giant loophole though to embed malevolent code in HTML
documents which is not scanned or detected by naïve scanners assuming script
tags cannot work like this in HTML.
I think the HTML specification on the SVG element
(http://www.w3.org/TR/html5/embedded-content-0.html#svg), or the more general
section on embedded content at
http://www.w3.org/TR/html5/dom.html#embedded-content-2, should be expanded to
state that either, if an SVG document is embedded in HTML, it inherits its
limitations with regards to the parsing mode of elements defined in both
standards, or more generically something to the effect of that active content
in any section of the document must adhere to limitations imposed by all of its
containing documents.
