No, SVG files are not HTML.
~~Please change this post title (currently "today i learned: svg files are literally just html code"), to avoid spreading this incorrect factoid!~~
~~I suggest you change it to "today i learned: svg files are just text in an html-like language" or something like that.~~ edit: thanks OP
XML and HTML have many similarities, because they both are descendants of SGML. But, as others have noted in this thread, HTML is also not XML. (Except for when it's XHTML...)
Like HTML, SVG also can use CSS, and, in some environments (eg, in browsers, but not in Inkscape) also JavaScript. But, the styles you can specify with CSS in SVG are quite different than those you can specify with CSS in HTML.
Lastly, you can embed SVG in HTML and it will work in (modern) browsers. You cannot embed HTML in SVG, however.
Btw, DeadDrop was the original name of Aaron Swartz' software which later became SecureDrop.
I'm sorry to say... this is not quite true. You (or your web host, or a MITM adversary in possession of certificate authority key) can replace the source code at any time - and can do so on a per-user basis, targeting specific IP addresses - to make it exfiltrate the secret key from the uploader or downloader.
Anyone can audit the code you've published, but it is very difficult to be sure that the code one has audited is the same as the code that is being run each time one is using someone else's website.
This website has a rather harsh description of the problem: https://www.devever.net/~hl/webcrypto ... which concludes that all web-based cryptography like this is fundamentally snake oil.
Aside from the entire paradigm of doing end-to-end encryption using javascript that is re-delivered by a webserver at each use being fundamentally flawed, there are a few other problems with your design:
There are many similar browser-based things which still have the problem of being browser-based but which do not have these three problems: they store the file under a random identifier (or a hash of the ciphertext), and include a high-entropy key in the "fragment" part of the URL (the part after the
#
symbol) which is by default not sent to the server but is readable by the javascript. (Note that the javascript still can send the fragment to the server, however... it's just that by default the browser does not.)I hope this assessment is not too discouraging, and I wish you well on your programming journey!