scriptless-svg/README.md

# scriptless-svg

A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) for scanning.

If you want to integrate SVG scanning into a bigger application, you should use [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) directly instead. This package __only__ contains a CLI tool for it.

## License, donations, and other boilerplate

Licensed under either the [WTFPL](http://www.wtfpl.net/txt/copying/) or [CC0](https://creativecommons.org/publicdomain/zero/1.0/), at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is *not* required, but still very much appreciated! I'd love to [hear from you](mailto:admin@cryto.net) if this module was useful to you.

Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate [here](http://cryto.net/~joepie91/donate.html).

## Screenshot

When running `scriptless-svg` on the [Web Platform Tests for SVG](https://github.com/web-platform-tests/wpt/tree/master/svg):

![Screenshot](https://git.cryto.net/joepie91/scriptless-svg/raw/master/screenshot.png)

## Usage

`scriptless-svg` takes any amount of paths and/or [globs](https://www.npmjs.com/package/globby#globbing-patterns) as its arguments. If an argument doesn't exist as an exact path, it is assumed to be a glob (and will fail if not). You can include negated globs to exclude certain patterns.

Additionally, you can pass the `--errors-only` flag to omit all files from the output that passed the check successfully. This is especially recommended for CI setups where you are only interested in the failures.

Note that __by default, only files that end in `.svg` are considered when you specify a directory path__. If you wish to also scan files with a different extension, it must be an explicit glob.

The process will return exit code 1 if any scanned files failed the check (ie. contain scripts), or exit code 0 if all files passed.

## Examples

Scan all `*.svg` files in the current directory and any subdirectories:

```sh
scriptless-svg
```

Scan all `*.svg` files in a given target directory and its subdirectories:

```sh
scriptless-svg /path/to/directory
```

Complex globs, with eg. exclusions (note that globs should be single-quoted to work correctly!):

```sh
scriptless-svg svg/ '!svg/scriptable/**/*.scriptable.svg'
```

Show only the files that failed the check (ie. contain scripts), not the ones that passed:

```sh
scriptless-svg --errors-only svg/
```
Initial commit 4 years ago			`# scriptless-svg`

			`A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) for scanning.`

			`If you want to integrate SVG scanning into a bigger application, you should use [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) directly instead. This package __only__ contains a CLI tool for it.`

			`## License, donations, and other boilerplate`

			`Licensed under either the [WTFPL](http://www.wtfpl.net/txt/copying/) or [CC0](https://creativecommons.org/publicdomain/zero/1.0/), at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is not required, but still very much appreciated! I'd love to [hear from you](mailto:admin@cryto.net) if this module was useful to you.`

			`Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate [here](http://cryto.net/~joepie91/donate.html).`

			`## Screenshot`

			When running `scriptless-svg` on the [Web Platform Tests for SVG](https://github.com/web-platform-tests/wpt/tree/master/svg):

			`![Screenshot](https://git.cryto.net/joepie91/scriptless-svg/raw/master/screenshot.png)`

			`## Usage`

			`scriptless-svg` takes any amount of paths and/or [globs](https://www.npmjs.com/package/globby#globbing-patterns) as its arguments. If an argument doesn't exist as an exact path, it is assumed to be a glob (and will fail if not). You can include negated globs to exclude certain patterns.

			Additionally, you can pass the `--errors-only` flag to omit all files from the output that passed the check successfully. This is especially recommended for CI setups where you are only interested in the failures.

Actually put the bold text in the right place 4 years ago			Note that __by default, only files that end in `.svg` are considered when you specify a directory path__. If you wish to also scan files with a different extension, it must be an explicit glob.
Documentation fixes 4 years ago
Initial commit 4 years ago			`The process will return exit code 1 if any scanned files failed the check (ie. contain scripts), or exit code 0 if all files passed.`

			`## Examples`

Documentation fixes 4 years ago			Scan all `*.svg` files in the current directory and any subdirectories:
Initial commit 4 years ago
			```sh
			`scriptless-svg`
			```

Documentation fixes 4 years ago			Scan all `*.svg` files in a given target directory and its subdirectories:
Initial commit 4 years ago
			```sh
			`scriptless-svg /path/to/directory`
			```

			`Complex globs, with eg. exclusions (note that globs should be single-quoted to work correctly!):`

			```sh
			`scriptless-svg svg/ '!svg/scriptable/*/.scriptable.svg'`
			```

			`Show only the files that failed the check (ie. contain scripts), not the ones that passed:`

			```sh
			`scriptless-svg --errors-only svg/`
			```