# scriptless-svg A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) for scanning. If you want to integrate SVG scanning into a bigger application, you should use [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) directly instead. This package __only__ contains a CLI tool for it. ## License, donations, and other boilerplate Licensed under either the [WTFPL](http://www.wtfpl.net/txt/copying/) or [CC0](https://creativecommons.org/publicdomain/zero/1.0/), at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is *not* required, but still very much appreciated! I'd love to [hear from you](mailto:admin@cryto.net) if this module was useful to you. Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate [here](http://cryto.net/~joepie91/donate.html). ## Screenshot When running `scriptless-svg` on the [Web Platform Tests for SVG](https://github.com/web-platform-tests/wpt/tree/master/svg): ![Screenshot](https://git.cryto.net/joepie91/scriptless-svg/raw/master/screenshot.png) ## Usage `scriptless-svg` takes any amount of paths and/or [globs](https://www.npmjs.com/package/globby#globbing-patterns) as its arguments. If an argument doesn't exist as an exact path, it is assumed to be a glob (and will fail if not). You can include negated globs to exclude certain patterns. Additionally, you can pass the `--errors-only` flag to omit all files from the output that passed the check successfully. This is especially recommended for CI setups where you are only interested in the failures. Note that __by default, only files that end in `.svg` are considered when you specify a directory path__. If you wish to also scan files with a different extension, it must be an explicit glob. The process will return exit code 1 if any scanned files failed the check (ie. contain scripts), or exit code 0 if all files passed. ## Examples Scan all `*.svg` files in the current directory and any subdirectories: ```sh scriptless-svg ``` Scan all `*.svg` files in a given target directory and its subdirectories: ```sh scriptless-svg /path/to/directory ``` Complex globs, with eg. exclusions (note that globs should be single-quoted to work correctly!): ```sh scriptless-svg svg/ '!svg/scriptable/**/*.scriptable.svg' ``` Show only the files that failed the check (ie. contain scripts), not the ones that passed: ```sh scriptless-svg --errors-only svg/ ```