Using Javascript code inside of an SVG file and then uploading it to a website that accepts SVG files & does not sanitize their content.
This is how a ton of websites fail and are directly exposed to this XSS vulnerability.
You have two choices:
- Do not allow users to upload SVG files
- Allow users to upload SVG files, but use an SVG cleaner on upload