And another unfortunate security thing I learned today is that .svg files can contain JavaScript, and that your browser will happily execute that if someone directly views your image (so not through <img>). This has consequences for anyone hosting user supplied images. Thank you Wander Nauta for pointing this out. The painful story is here: https://github.com/berthubert/trifecta/issues/38
