Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(svgo): handle javascript uris in removexss plugin #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 6, 2023
Merged

fix(svgo): handle javascript uris in removexss plugin #186

merged 1 commit into from
Nov 6, 2023

Conversation

@SethFalco
Copy link
Contributor

@SethFalco SethFalco commented Nov 4, 2023
edited
Loading

πŸ”— Linked issue

N/A

❓ Type of change

  • πŸ“– Documentation (updates to the documentation, readme, or JSdoc annotations)
  • 🐞 Bug fix (a non-breaking change that fixes an issue)
  • πŸ‘Œ Enhancement (improving an existing functionality like performance)
  • ✨ New feature (a non-breaking change that adds functionality)
  • 🧹 Chore (updates to the build process or auxiliary tools and libraries)
  • ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

πŸ“š Description

The removeXSS plugin for SVGO was missing one of the possible ways to execute scripts. SVGs href attributes, regardless of namespace, can contain JavaScript URIs, which the client will execute.

I recently updated the SVGO removeScriptElement plugin to handle this. When v3.0.3 is released, you'll no longer need to maintain the removeXSS plugin, and can instead opt for the removeScriptElement plugin. This plugin is due to be renamed to removeScripts.

Documentation: https://svgo.dev/docs/plugins/remove-scripts/

I'm not sure when v3.0.3 can be released, so it's probably worth updating the plugin already. Once v3.0.3 is released, I'd be happy to open another PR to help with migrating over to it and dropping removeXSS.

Reference: svg/svgo#1664 (comment)

Chores

I also did the following chores:

  • Sorts and removes duplicates from the list of events.
  • Adds onzoom event, which is included in the list of events in SVGO.

πŸ“ Checklist

  • N/A I have linked an issue or discussion.
  • N/A I have updated the documentation accordingly.

pi0
pi0 approved these changes Nov 6, 2023
View reviewed changes
Copy link
Member

@pi0 pi0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@codecov
Copy link

codecov bot commented Nov 6, 2023

Codecov Report

Merging #186 (dff8cd9) into main (5980f4e) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #186   +/-   ##
=======================================
  Coverage   54.01%   54.01%           
=======================================
  Files          11       11           
  Lines        1083     1083           
  Branches       45       45           
=======================================
  Hits          585      585           
  Misses        498      498

@pi0 pi0 changed the title fix: handle javascript uris in removexss plugin fix(svgo): handle javascript uris in removexss plugin Nov 6, 2023
@pi0 pi0 merged commit 1d15d80 into unjs:main Nov 6, 2023
@pi0
Copy link
Member

pi0 commented Nov 6, 2023

https://github.com/unjs/ipx/releases/tag/v2.0.1

Looking forward for svgo next release!

@SethFalco SethFalco deleted the svgo-xss branch November 6, 2023 11:47
@SethFalco SethFalco mentioned this pull request Nov 8, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pi0 pi0 pi0 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SethFalco @pi0