You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

54 lines
2.7 KiB

2 years ago
# scriptless-svg
A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) for scanning.
If you want to integrate SVG scanning into a bigger application, you should use [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) directly instead. This package __only__ contains a CLI tool for it.
## License, donations, and other boilerplate
Licensed under either the [WTFPL](http://www.wtfpl.net/txt/copying/) or [CC0](https://creativecommons.org/publicdomain/zero/1.0/), at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is *not* required, but still very much appreciated! I'd love to [hear from you](mailto:admin@cryto.net) if this module was useful to you.
Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate [here](http://cryto.net/~joepie91/donate.html).
## Screenshot
When running `scriptless-svg` on the [Web Platform Tests for SVG](https://github.com/web-platform-tests/wpt/tree/master/svg):
![Screenshot](https://git.cryto.net/joepie91/scriptless-svg/raw/master/screenshot.png)
## Usage
`scriptless-svg` takes any amount of paths and/or [globs](https://www.npmjs.com/package/globby#globbing-patterns) as its arguments. If an argument doesn't exist as an exact path, it is assumed to be a glob (and will fail if not). You can include negated globs to exclude certain patterns.
Additionally, you can pass the `--errors-only` flag to omit all files from the output that passed the check successfully. This is especially recommended for CI setups where you are only interested in the failures.
Note that __by default, only files that end in `.svg` are considered when you specify a directory path__. If you wish to also scan files with a different extension, it must be an explicit glob.
2 years ago
The process will return exit code 1 if any scanned files failed the check (ie. contain scripts), or exit code 0 if all files passed.
## Examples
Scan all `*.svg` files in the current directory and any subdirectories:
2 years ago
```sh
scriptless-svg
```
Scan all `*.svg` files in a given target directory and its subdirectories:
2 years ago
```sh
scriptless-svg /path/to/directory
```
Complex globs, with eg. exclusions (note that globs should be single-quoted to work correctly!):
```sh
scriptless-svg svg/ '!svg/scriptable/**/*.scriptable.svg'
```
Show only the files that failed the check (ie. contain scripts), not the ones that passed:
```sh
scriptless-svg --errors-only svg/
```