There are restrictions, but SVG is an example of an image file type that can run JavaScript (again, there are legitimate use cases for this).

> again, there are legitimate use cases for this

I'm curious: what legitimate use cases exist for embedding a turing-complete scripting language into an image format?

I guess this was specified in a time when nobody thought it would one day be possible to embed an SVG document in an HTML DOM and add animations and interactivity in a performant way there.

ninja edit: It's also from a time when W3C started to lose focus and authority.

It's amazing that SVG was so successful despite this mess and also the confusion potential of CSS in SVG.

Browsers ignore scripts in external SVG images. Don't know if that is for security reasons (JS sandbox unreliable) or because a full isolated JS context per image would be to expensive...

Wasn't there also a time where you could open a raw socket with SVG? SVG is very much from a time when we didn't know what the web was going to be or how it was going to work.

Every browser engine said no to that nonsense.

The core issue iirc was that one of the major use cases for SVG was map/navigation systems where a number of environments required fully standardized systems. But they didn’t want to say implement a full browser stack”, so they just came up with their own “networking api” that was just “sockets!”.

A lot of this work predated html5, and the subsequent rationalization of web specs such that (for example) the xhr API was not fully specified, and it was not a separate specification from the rest of the browser stack, so SVG couldn’t just do what they could (in principle) do now.

The SVG WG was not the most functional - i recall that something a subset of the committee did at one point was to after the end of one person’s work day they rescheduled a meeting to later “that day” (while they were asleep) and took a vote without them present.

A number of other choices were made to the detriment of the spec for specific use cases (the various performance profiles have fundamentally incompatible rendering behavior rather than gradual decay, etc)

Thanks for the explanations!

Funnily enough we did end up saying "implement a full browser stack" :/

I might be mistaken, but that sounds like a general XML-related security bug (of which there are plenty)

Compression: for some images, you can't use SVG's <use>, but a small script can generate the repetitive bits quite nicely. Also, aperiodic animation (e.g. a double pendulum): SGML animations can represent a few minutes, but don't try putting a few hours' worth in.

PostScript, the printer file format, is Turing-complete, for different reasons.

That's because SVG is actually a document format, that is mostly for vector graphics. SVG nodes even show up in the DOM and CSSOM.

as a general rule this would be to do generative graphics, user interactivity with the graphical elements, animations, superset of all these - games.

I knew a guy who wrote a PostScript document that was a map of the sky at that moment. If you rendered it an hour later it was different again. It used the `file` capabilities of host-based interpreters.

> I'm curious: what legitimate use cases exist for embedding a turing-complete scripting language into an image format?

Competing with flash?

SVG tries to be a lot of things, one of them was to be a full on interactive app.

Signature forgery?

There are "legitimate use cases" for just about everything imaginable on this planet because there will always be a user that goes "I spend all my day in X software wouldn't it be great if it could read my email/monitor my plants/talk to sales/..".

That's how cursed enterprise software develops email clients and chat services. Just say no.