I see that SVGs are blocked by default in the media uploader and you have to add it as a supported MIME type in functions.php. What security reasons are behind this?
SVG can contain JavaScript. JavaScript can be used to hijack cookies or do other questionable actions. It can even be “hidden” in namespaces:
<html xmlns:ø="http://www.w3.org/1999/xhtml">
<ø:script src="https://0x.lv/" />
</html>
source
It is very hard to filter that out during the upload, so it is just not allowed by default.
