Assigning a data: URL in SVGUseElement can cause XSS. And this also led to a Trusted Types bypass. Therefore, we plan to deprecate and remove support for it.
Assigning an attacker controlled string to SVGUseElement.href causes XSS and a Trusted Types bypass[1] because of data: URLs. If we fix this bug by requiring TrustedScriptURL assignment to SVGUseElement.href under Trusted Types enforcement, many sites would need to refactor code (even for same-origin URL or Blob URL assignment). Since Webkit does not support data: URLs in SVGUseElement and both Mozilla and Webkit are supportive for the removal, we think that removing support for data: URLs in SVGUseElement is the right way to solve this problem. Additionally, data: URLs can only trigger script execution in script loaders such as HTMLScriptElement.src or dynamic import[2]. However, SVGUseElement is an exception to this, which also caused a bypass[3] in the Sanitizer API. We believe that this also led to several other bugs in sanitizers and linters missing a check for this special case. [1] https://github.com/w3c/trusted-types/issues/357 [2] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import [3] https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10
Docs: https://developer.chrome.com/blog/migrate-way-from-data-urls-in-svg-use
Samples: https://shhnjk.github.io/svg-use-icons https://github.com/shhnjk/shhnjk.github.io/tree/main/svg-use-icons