Skip to content

Commit 5d05804

Browse files
SethFalcoSethFalco
committed
fix(removeScriptElement): remove link anchors with scripts
1 parent e529c66 commit 5d05804

File tree

4 files changed

+77
-4
lines changed

4 files changed

+77
-4
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,7 @@ const config = await loadConfig(configFile, cwd);
198198
| [removeNonInheritableGroupAttrs](https://github.com/svg/svgo/blob/main/plugins/removeNonInheritableGroupAttrs.js) | remove non-inheritable group's "presentation" attributes | Yes |
199199
| [removeOffCanvasPaths](https://github.com/svg/svgo/blob/main/plugins/removeOffCanvasPaths.js) | removes elements that are drawn outside of the viewbox | |
200200
| [removeRasterImages](https://github.com/svg/svgo/blob/main/plugins/removeRasterImages.js) | remove raster images | |
201-
| [removeScriptElement](https://github.com/svg/svgo/blob/main/plugins/removeScriptElement.js) | remove `<script>` elements | |
201+
| [removeScriptElement](https://github.com/svg/svgo/blob/main/plugins/removeScriptElement.js) | remove scripts | |
202202
| [removeStyleElement](https://github.com/svg/svgo/blob/main/plugins/removeStyleElement.js) | remove `<style>` elements | |
203203
| [removeTitle](https://github.com/svg/svgo/blob/main/plugins/removeTitle.js) | remove `<title>` | Yes |
204204
| [removeUnknownsAndDefaults](https://github.com/svg/svgo/blob/main/plugins/removeUnknownsAndDefaults.js) | remove unknown elements content and attributes, remove attributes with default values | Yes |

plugins/removeScriptElement.js

Lines changed: 43 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,24 @@
11
'use strict';
22

33
const { detachNodeFromParent } = require('../lib/xast.js');
4+
const { attrsGroups } = require('./_collections.js');
45

56
exports.name = 'removeScriptElement';
6-
exports.description = 'removes <script> elements (disabled by default)';
7+
exports.description = 'removes scripts (disabled by default)';
8+
9+
/** Union of all event attributes. */
10+
const eventAttrs = [
11+
...attrsGroups.animationEvent,
12+
...attrsGroups.graphicalEvent,
13+
...attrsGroups.documentEvent,
14+
];
715

816
/**
9-
* Remove <script>.
17+
* Remove scripts.
1018
*
1119
* https://www.w3.org/TR/SVG11/script.html
1220
*
1321
* @author Patrick Klingemann
14-
*
1522
* @type {import('./plugins-types').Plugin<'removeScriptElement'>}
1623
*/
1724
exports.fn = () => {
@@ -20,6 +27,39 @@ exports.fn = () => {
2027
enter: (node, parentNode) => {
2128
if (node.name === 'script') {
2229
detachNodeFromParent(node, parentNode);
30+
return;
31+
}
32+
33+
for (const attr of eventAttrs) {
34+
if (node.attributes[attr] != null) {
35+
delete node.attributes[attr];
36+
}
37+
}
38+
},
39+
exit: (node, parentNode) => {
40+
if (node.name !== 'a') {
41+
return;
42+
}
43+
44+
for (const attr of ['href', 'xlink:href']) {
45+
if (
46+
node.attributes[attr] == null ||
47+
!node.attributes[attr].trimStart().startsWith('javascript:')
48+
) {
49+
continue;
50+
}
51+
52+
detachNodeFromParent(node, parentNode);
53+
const index = parentNode.children.indexOf(node);
54+
parentNode.children.splice(index, 1, ...node.children);
55+
56+
// TODO remove legacy parentNode in v4
57+
for (const child of node.children) {
58+
Object.defineProperty(child, 'parentNode', {
59+
writable: true,
60+
value: parentNode,
61+
});
62+
}
2363
}
2464
},
2565
},

test/plugins/removeScriptElement.02.svg

Lines changed: 16 additions & 0 deletions
Loading

test/plugins/removeScriptElement.03.svg

Lines changed: 17 additions & 0 deletions
Loading

0 commit comments

Comments
 (0)