diff --git a/Submission.Api/Controllers/DebugController.cs b/Submission.Api/Controllers/DebugController.cs
index b6a3a21..bcf6427 100644
--- a/Submission.Api/Controllers/DebugController.cs
+++ b/Submission.Api/Controllers/DebugController.cs
@@ -273,6 +273,17 @@ namespace Submission.Api.Controllers
             }
         }
 
+        [HttpPost("svg-debug", Name = "SvgDebug")]
+        public async Task<IActionResult> SVG_TEST([FromForm]string svg)
+        {
+            // SVG validation: reject bad/malicious SVGs before persisting
+            if (!Submission.Api.Services.SvgValidator.TryValidate(svg, out var svgError))
+            {
+                return BadRequest($"Invalid signature SVG: {svgError}");
+            }
+            return Ok("Valid SVG");
+        }
+
         private (string frontmatter, string body) ParseMarkdownFile(string content)
         {
             var lines = content.Split('\n');
diff --git a/Submission.Api/Services/SvgValidator.cs b/Submission.Api/Services/SvgValidator.cs
index ef6420f..47559e5 100644
--- a/Submission.Api/Services/SvgValidator.cs
+++ b/Submission.Api/Services/SvgValidator.cs
@@ -19,7 +19,7 @@ namespace Submission.Api.Services
         // Basic attribute whitelist (prefix-free) - attributes not listed are still allowed but checked for danger.
         private static readonly HashSet<string> AllowedAttributes = new(StringComparer.OrdinalIgnoreCase)
         {
-            "id","class","width","height","viewBox","fill","stroke","d","x","y","cx","cy","r","rx","ry","points",
+            "id","class","width","height","viewBox","fill","stroke","d","x","y","cx","cy","r","rx","ry","points","stroke-linecap","stroke-linejoin",
             "transform","style","xmlns","xmlns:xlink","xlink:href","href","opacity","stroke-width","font-size","font-family"
         };