You can make someone download a zip file with a plain HTML link, too.

You're reading an awful lot into that one little statement.  That said, I was being snarky and I should have gone into a bit more detail.

The reason I allow ZIP files at all isn't because I want people to upload executable files to OGA, it's because I understand that there are tons of different art formats out there, some more esoteric than others.  While I don't necessarily want to encourage people to use strange formats (by explicitly listing them in the allowed file upload formats), I don't necessarily want to prohibit them either.  But that's just on art submissions.

The reason I allow file attachments to forum posts at all is to facilitate discussion about art.  I'm perfectly happy with people discussing code as well, but I don't want to get into the business of hosting people's random files in a section of the site that doesn't receive nearly as much public scrutiny as the art section does.  I don't have time to vet everything myself, and a lot more people see art submissions than forum posts.  I'd also prefer to avoid having people post a zip on the forum and then hotlink it from other sites.  OGA is an art hosting website, not a code hosting website.  There are other sites that are perfectly happy to host your code and your executables, and you're more than welcome to link to those sites in your forum posts.

I don't see how this is "evil" though? I mean, the user still gets a pop up asking if they want to download, and they'd be asked again before opening/running it, with the usual warnings that Windows gives. As said above, auto-downloads can be done with a webpage, so most users should be used to the idea (albeit it's a bit unconventional with an svg file).

I don't think clicking on the svg alone could the exe to run?

Yes, it's true that one can circumvent the restriction on uploading exe files, but then one could do that by uploading a zip too, and I guess one has to be pragmatic - there's little point allowing exes on a site for art, but you can't stop people distributing one in another form, without restricting useful types like zip and svg.

Interesting point about svgs - I knew you could embed raster images (rather than the vector style they usually are for), I didn't know about embedding any file though.

Interesting point about svgs - I knew you could embed raster images (rather than the vector style they usually are for), I didn't know about embedding any file though.

The ZIP archive is not included in the SVG -- it just contains a <script> tag with

window.location = "https://github.com/downloads/clintbellanger/flare-game/flare_win_v017_1.zip";

That being said, while I'm against forbidding SVG forum attachements, I guess it wouldn't hurt to sanitize the files on upload in order to strip all <script> tags and all exploits that allow to execute Javascript.

What I've seen done in cases like that is that the files (SVG files in this case) are hosted on a different domain, so that accessing cookies and other things are impossible (for the website's domain).

There are uses for Javascript in SVG, one of which is animations.

Maybe SVG files with Javascript tags should have a different mime-type so they are downloaded instead of displayed?

Actually this is very interesting and should be fixed; not just here but in browsers, inkscape etc.. Not to disable JS entirely, but to sanitize it. I did not realize the use case of malicious SVGs until just now... http://www.securitytube.net/video/5533

Also - http://blog.jondh.me.uk/2012/09/inkscape-xml-entity-vulnerabilities/

Someone should make a very good PHP Sanitizing LIB for SVGs and the problem would be solved for everyone. :)