A security engineer for the Wikimedia Foundation got back to me today, and I hope he won't mind me adding part of his reply:
> I was able to reproduce your work with Inkscape, and I agree, this is
>something that Inkscape should fix. I tested a number of other viewers,
> and none showed similar behavior.
He says he'll look into filtering out entities on the server side, since Wikipedia publishes a lot of SVG images, and Inkscape is likely to be popular amongst contributors.
A security engineer for the Wikimedia Foundation got back to me today, and I hope he won't mind me adding part of his reply:
> I was able to reproduce your work with Inkscape, and I agree, this is
>something that Inkscape should fix. I tested a number of other viewers,
> and none showed similar behavior.
He says he'll look into filtering out entities on the server side, since Wikipedia publishes a lot of SVG images, and Inkscape is likely to be popular amongst contributors.