diff --git a/composer.json b/composer.json
index 504262e7..ccb454e3 100644
--- a/composer.json
+++ b/composer.json
@@ -30,6 +30,7 @@
 		"google/recaptcha"          : "~1.1",
 		"dapphp/securimage"         : "3.6.*",
 		"shish/libcontext-php"      : "dev-master",
+		"enshrined/svg-sanitize"    : "0.8.2",
 
 		"bower-asset/jquery"         : "1.12.3",
 		"bower-asset/jquery-timeago" : "1.5.2",
diff --git a/composer.lock b/composer.lock
index d1445182..2ca1f51e 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "eb5180245fbf27fb02d9a4018a2ff059",
+    "content-hash": "fd0ccce172ded2999f5ced0884990541",
     "packages": [
         {
             "name": "bower-asset/jquery",
@@ -152,6 +152,43 @@
             ],
             "time": "2017-11-21T02:29:19+00:00"
         },
+        {
+            "name": "enshrined/svg-sanitize",
+            "version": "0.8.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/darylldoyle/svg-sanitizer.git",
+                "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/432fc4fc7e95b8a866790ba27e35076b9dd96ebe",
+                "reference": "432fc4fc7e95b8a866790ba27e35076b9dd96ebe",
+                "shasum": ""
+            },
+            "require-dev": {
+                "codeclimate/php-test-reporter": "^0.1.2",
+                "phpunit/phpunit": "^4.7"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "enshrined\\svgSanitize\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "GPL-2.0+"
+            ],
+            "authors": [
+                {
+                    "name": "Daryll Doyle",
+                    "email": "daryll@enshrined.co.uk"
+                }
+            ],
+            "description": "An SVG sanitizer for PHP",
+            "time": "2017-12-06T15:31:26+00:00"
+        },
         {
             "name": "flexihash/flexihash",
             "version": "v2.0.2",
diff --git a/ext/handle_svg/main.php b/ext/handle_svg/main.php
index 2e58dbd3..2847a092 100644
--- a/ext/handle_svg/main.php
+++ b/ext/handle_svg/main.php
@@ -6,11 +6,19 @@
  * Description: Handle static SVG files. (No thumbnail is generated for SVG files)
  */
 
+use enshrined\svgSanitize\Sanitizer;
+
 class SVGFileHandler extends Extension {
 	public function onDataUpload(DataUploadEvent $event) {
 		if($this->supported_ext($event->type) && $this->check_contents($event->tmpname)) {
 			$hash = $event->hash;
-			move_upload_to_archive($event);
+
+			$sanitizer = new Sanitizer();
+			$sanitizer->removeRemoteReferences(true);
+			$dirtySVG = file_get_contents($event->tmpname);
+			$cleanSVG = $sanitizer->sanitize($dirtySVG);
+			file_put_contents(warehouse_path("images", $hash), $cleanSVG);
+
 			send_event(new ThumbnailGenerationEvent($event->hash, $event->type));
 			$image = $this->create_image_from_data(warehouse_path("images", $hash), $event->metadata);
 			if(is_null($image)) {
@@ -46,7 +54,12 @@ class SVGFileHandler extends Extension {
 
 			$page->set_type("image/svg+xml");
 			$page->set_mode("data");
-			$page->set_data(file_get_contents(warehouse_path("images", $hash)));
+
+			$sanitizer = new Sanitizer();
+			$sanitizer->removeRemoteReferences(true);
+			$dirtySVG = file_get_contents(warehouse_path("images", $hash));
+			$cleanSVG = $sanitizer->sanitize($dirtySVG);
+			$page->set_data($cleanSVG);
 		}
 	}
 
diff --git a/ext/handle_svg/test.php b/ext/handle_svg/test.php
index aaa2c350..f8aaa96c 100644
--- a/ext/handle_svg/test.php
+++ b/ext/handle_svg/test.php
@@ -10,5 +10,13 @@ class SVGHandlerTest extends ShimmiePHPUnitTestCase {
 		# FIXME: test that the thumb works
 		# FIXME: test that it gets displayed properly
 	}
+
+	public function testAbuiveSVG() {
+		$this->log_in_as_user();
+		$image_id = $this->post_image("tests/alert.svg", "something");
+		$this->get_page("post/view/$image_id");
+		$this->get_page("get_svg/$image_id");
+		$this->assert_no_content("script");
+	}
 }
 
diff --git a/tests/alert.svg b/tests/alert.svg
new file mode 100644
index 00000000..7729c9cd
--- /dev/null
+++ b/tests/alert.svg
@@ -0,0 +1,8 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" width="100" height="100">
+    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+    <script type="text/javascript">
+        alert(document.location);
+    </script>
+</svg>