You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
52 lines
2.5 KiB
Markdown
52 lines
2.5 KiB
Markdown
4 years ago
|
# scriptless-svg
|
||
|
|
||
|
A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) for scanning.
|
||
|
|
||
|
If you want to integrate SVG scanning into a bigger application, you should use [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) directly instead. This package __only__ contains a CLI tool for it.
|
||
|
|
||
|
## License, donations, and other boilerplate
|
||
|
|
||
|
Licensed under either the [WTFPL](http://www.wtfpl.net/txt/copying/) or [CC0](https://creativecommons.org/publicdomain/zero/1.0/), at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is *not* required, but still very much appreciated! I'd love to [hear from you](mailto:admin@cryto.net) if this module was useful to you.
|
||
|
|
||
|
Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate [here](http://cryto.net/~joepie91/donate.html).
|
||
|
|
||
|
## Screenshot
|
||
|
|
||
|
When running `scriptless-svg` on the [Web Platform Tests for SVG](https://github.com/web-platform-tests/wpt/tree/master/svg):
|
||
|
|
||
|
![Screenshot](https://git.cryto.net/joepie91/scriptless-svg/raw/master/screenshot.png)
|
||
|
|
||
|
## Usage
|
||
|
|
||
|
`scriptless-svg` takes any amount of paths and/or [globs](https://www.npmjs.com/package/globby#globbing-patterns) as its arguments. If an argument doesn't exist as an exact path, it is assumed to be a glob (and will fail if not). You can include negated globs to exclude certain patterns.
|
||
|
|
||
|
Additionally, you can pass the `--errors-only` flag to omit all files from the output that passed the check successfully. This is especially recommended for CI setups where you are only interested in the failures.
|
||
|
|
||
|
The process will return exit code 1 if any scanned files failed the check (ie. contain scripts), or exit code 0 if all files passed.
|
||
|
|
||
|
## Examples
|
||
|
|
||
|
Scan all `*.svg* files in the current directory and any subdirectories:
|
||
|
|
||
|
```sh
|
||
|
scriptless-svg
|
||
|
```
|
||
|
|
||
|
Scan all `*.svg* files in a given target directory and its subdirectories:
|
||
|
|
||
|
```sh
|
||
|
scriptless-svg /path/to/directory
|
||
|
```
|
||
|
|
||
|
Complex globs, with eg. exclusions (note that globs should be single-quoted to work correctly!):
|
||
|
|
||
|
```sh
|
||
|
scriptless-svg svg/ '!svg/scriptable/**/*.scriptable.svg'
|
||
|
```
|
||
|
|
||
|
Show only the files that failed the check (ie. contain scripts), not the ones that passed:
|
||
|
|
||
|
```sh
|
||
|
scriptless-svg --errors-only svg/
|
||
|
```
|