inline_svg is vulnerable to Cross-Site Scripting. The vulnerability exists because the placeholder
function in helpers.rb
does not properly escape the filename
attribute before being rendered, allowing an attacker to inject and execute malicious JavaScript through a malicious SVG file.