User-supplied SVG markup from ?svg= is dropped into the page via innerHTML. SVG carries its own script surface (onload, <image onerror>, <animate onbegin>) so it slips past naive "no <script>" filters.
Trigger: /xss/svg.html?svg=<svg><image href=x onerror=alert(1)></svg>
Detected by: browser_cdp_svg_xss_probe