Skip to content

Commit

Permalink
fix(removeScriptElement): remove link anchors with scripts
Browse files Browse the repository at this point in the history
  • Loading branch information
@SethFalco
SethFalco committed Oct 13, 2023
1 parent e529c66 commit 21cbbb0
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 4 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ const config = await loadConfig(configFile, cwd);
| [removeNonInheritableGroupAttrs](https://github.com/svg/svgo/blob/main/plugins/removeNonInheritableGroupAttrs.js) | remove non-inheritable group's "presentation" attributes | Yes |
| [removeOffCanvasPaths](https://github.com/svg/svgo/blob/main/plugins/removeOffCanvasPaths.js) | removes elements that are drawn outside of the viewbox | |
| [removeRasterImages](https://github.com/svg/svgo/blob/main/plugins/removeRasterImages.js) | remove raster images | |
| [removeScriptElement](https://github.com/svg/svgo/blob/main/plugins/removeScriptElement.js) | remove `<script>` elements | |
| [removeScriptElement](https://github.com/svg/svgo/blob/main/plugins/removeScriptElement.js) | remove scripts | |
| [removeStyleElement](https://github.com/svg/svgo/blob/main/plugins/removeStyleElement.js) | remove `<style>` elements | |
| [removeTitle](https://github.com/svg/svgo/blob/main/plugins/removeTitle.js) | remove `<title>` | Yes |
| [removeUnknownsAndDefaults](https://github.com/svg/svgo/blob/main/plugins/removeUnknownsAndDefaults.js) | remove unknown elements content and attributes, remove attributes with default values | Yes |
Expand Down
46 changes: 43 additions & 3 deletions plugins/removeScriptElement.js
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,24 @@
'use strict';

const { detachNodeFromParent } = require('../lib/xast.js');
const { attrsGroups } = require('./_collections.js');

exports.name = 'removeScriptElement';
exports.description = 'removes <script> elements (disabled by default)';
exports.description = 'removes scripts (disabled by default)';

/** Union of all event attributes. */
const eventAttrs = [
...attrsGroups.animationEvent,
...attrsGroups.graphicalEvent,
...attrsGroups.documentEvent,
];

/**
* Remove <script>.
* Remove scripts.
*
* https://www.w3.org/TR/SVG11/script.html
*
* @author Patrick Klingemann
*
* @type {import('./plugins-types').Plugin<'removeScriptElement'>}
*/
exports.fn = () => {
Expand All @@ -20,6 +27,39 @@ exports.fn = () => {
enter: (node, parentNode) => {
if (node.name === 'script') {
detachNodeFromParent(node, parentNode);
return;
}

for (const attr of eventAttrs) {
if (node.attributes[attr] != null) {
delete node.attributes[attr];
}
}
},
exit: (node, parentNode) => {
if (node.name !== 'a') {
return;
}

for (const attr of ['href', 'xlink:href']) {
if (
node.attributes[attr] == null ||
!node.attributes[attr].trimStart().startsWith('javascript:')
) {
continue;
}

detachNodeFromParent(node, parentNode);
const index = parentNode.children.indexOf(node);
parentNode.children.splice(index, 1, ...node.children);

// TODO remove legacy parentNode in v4
for (const child of node.children) {
Object.defineProperty(child, 'parentNode', {
writable: true,
value: parentNode,
});
}
}
},
},
Expand Down
16 changes: 16 additions & 0 deletions test/plugins/removeScriptElement.02.svg
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
17 changes: 17 additions & 0 deletions test/plugins/removeScriptElement.03.svg
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 21cbbb0

Please sign in to comment.