Skip to content
Pompelmi

How to block risky PDFs and SVG uploads

PDF and SVG uploads often look routine, but both formats can carry active content or structures you do not want to trust blindly.

Why these formats need special handling

Section titled “Why these formats need special handling”

PDFs

Section titled “PDFs”
  • Can contain JavaScript, launch actions, and embedded attachments.
  • Often move through document viewers, OCR pipelines, or internal review tools.

SVGs

Section titled “SVGs”
  • Are XML, not passive bitmaps.
  • Can embed scripts or browser-active content when served with the wrong headers.
Section titled “Recommended route shape”
  1. Keep PDF and SVG routes separate from generic image or document endpoints.
  2. Scan bytes before persistence.
  3. Reject obviously bad files.
  4. Quarantine suspicious PDFs when business users still need a review path.
  5. Prefer raster-only image routes when you do not actually need SVG support.

Example with scanBytes

Section titled “Example with scanBytes”
import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';


const report = await scanBytes(bytes, {
  filename,
  mimeType,
  policy: STRICT_PUBLIC_UPLOAD,
  failClosed: true,
});


if (report.verdict !== 'clean') {
  return { action: 'reject-or-quarantine', report };
}

Practical policy choices

Section titled “Practical policy choices”
  • Treat SVG as a separate route with its own allowlist and serving rules.
  • Keep uploaded SVGs off any path that browsers will execute inline unless you sanitize and re-serve them deliberately.
  • For PDFs, decide whether suspicious means reject or review based on your product and user expectations.

Continue

Section titled “Continue”