You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
78 lines
2.8 KiB
Markdown
78 lines
2.8 KiB
Markdown
4 years ago
|
# detect-svg-scripts
|
||
|
|
||
|
A library for detecting scripts (eg. Javascript) inside of SVG files. Useful when building tools that should disallow script-containing SVGs, like security tooling.
|
||
|
|
||
|
Currently, this library detects:
|
||
|
- Inline `<script>` tags
|
||
|
- External `<script src="...">` references
|
||
|
- `on*` event handler attributes
|
||
|
|
||
|
If you know of another place where scripts can occur within SVGs, please open an issue or PR!
|
||
|
|
||
|
## License, donations, and other boilerplate
|
||
|
|
||
|
Licensed under either the [WTFPL](http://www.wtfpl.net/txt/copying/) or [CC0](https://creativecommons.org/publicdomain/zero/1.0/), at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is *not* required, but still very much appreciated! I'd love to [hear from you](mailto:admin@cryto.net) if this module was useful to you.
|
||
|
|
||
|
Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate [here](http://cryto.net/~joepie91/donate.html).
|
||
|
|
||
|
## Example
|
||
|
|
||
|
A runnable version of this example can be found in `example.js` in the repository.
|
||
|
|
||
|
```js
|
||
|
"use strict";
|
||
|
|
||
|
const Promise = require("bluebird");
|
||
|
const fs = require("fs");
|
||
|
const path = require("path");
|
||
|
const detectSVGScripts = require("detect-svg-scripts");
|
||
|
|
||
|
Promise.try(() => {
|
||
|
return detectSVGScripts(fs.createReadStream(path.join(__dirname, "test-svg/clock.svg")));
|
||
|
}).then((result) => {
|
||
|
console.log(result); /*
|
||
|
[
|
||
|
{
|
||
|
type: 'inlineScriptTag',
|
||
|
tag: { name: 'SCRIPT', attributes: [Object], isSelfClosing: false }
|
||
|
}
|
||
|
]
|
||
|
*/
|
||
|
|
||
|
return fs.promises.readFile(path.join(__dirname, "test-svg/wpt.svg"));
|
||
|
}).then((buffer) => {
|
||
|
return detectSVGScripts(buffer);
|
||
|
}).then((result) => {
|
||
|
console.log(result); /*
|
||
|
[
|
||
|
{
|
||
|
type: 'eventHandler',
|
||
|
tag: { name: 'SVG', attributes: [Object], isSelfClosing: false },
|
||
|
attribute: 'onload'
|
||
|
},
|
||
|
{
|
||
|
type: 'inlineScriptTag',
|
||
|
tag: { name: 'SCRIPT', attributes: [Object], isSelfClosing: false }
|
||
|
}
|
||
|
]
|
||
|
*/
|
||
|
});
|
||
|
|
||
|
```
|
||
|
|
||
|
## API
|
||
|
|
||
|
### detectSVGScripts(source)
|
||
|
|
||
|
Scans the given `source` SVG content for scripts.
|
||
|
|
||
|
- __source:__ The SVG to scan, as either a string, buffer, or readable Node.js stream.
|
||
|
|
||
|
Returns a Promise that resolves to an array of found scripts. Each item includes some metadata, and there are various `type`s:
|
||
|
|
||
|
- __eventHandler:__ Inline event handler, like an `onclick` property. The `attribute` property specifies the name of the handler.
|
||
|
- __inlineScriptTag:__ Inline `<script>` block. No additional metadata is included.
|
||
|
- __externalScriptFile:__ A `<script src="...">` tag, ie. one that references an external file. The `file` property specifies the path of that file.
|
||
|
|
||
|
The Promise may also reject, with any of the errors that could be caused by [sax](https://www.npmjs.com/package/sax) (which unfortunately doesn't document the possible errors).
|