Sure but that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place. Which… well, why? It’s an image, not a program. Treat it as an image. Hence “only an idiot” writes an image parser to actually execute an image (same with eg.: only an idiot would write an MP3 parser that arbitrarily executes an MP3).
Even if an SVG had JS in it, as an image-proccessing lib the correct method would be not to try to run the JS in your SVG by yourself but rather just hand it down to whoever is processibg JS at the moment (which would be, well, the browser context and its sandbox).
that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place
At the most base level, every image is data, and any data can theoretically be code. The image’s data has to be parsed (like you said) and the parser can be exploited to trigger code execution.
It works both ways, which ultimately is the issue.
A well created malicious exploit will look like an image (or any other file) to a user, but can execute arbitrary code.
That’s why I thought maybe you were just making a joke.
Sure but that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place. Which… well, why? It’s an image, not a program. Treat it as an image. Hence “only an idiot” writes an image parser to actually execute an image (same with eg.: only an idiot would write an MP3 parser that arbitrarily executes an MP3).
Even if an SVG had JS in it, as an image-proccessing lib the correct method would be not to try to run the JS in your SVG by yourself but rather just hand it down to whoever is processibg JS at the moment (which would be, well, the browser context and its sandbox).
I don’t think you understand how exploits work. We’re not talking about “running JS in an image viewer”.
https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2/
https://www.bitdefender.com/en-us/blog/hotforsecurity/openjpeg-vulnerability-allows-execution-of-malicious-code-using-crafted-images
At the most base level, every image is data, and any data can theoretically be code. The image’s data has to be parsed (like you said) and the parser can be exploited to trigger code execution.