Mario Gomes reported to mozilla an svg xss:
This is triggered using an iframe with a srcdoc and xhtml namespace.
We can easily forbid svg files with iframes. I can't tell if it's an oversight that we allow those, or if we made the decision to allow them for some reason. I'll pull down some of the more recent svg uploads and see if embedded iframes are common.