Module: SvgSentinel
- Defined in:
- lib/svg_sentinel.rb,
lib/svg_sentinel/cli.rb,
lib/svg_sentinel/rules.rb,
lib/svg_sentinel/sarif.rb,
lib/svg_sentinel/config.rb,
lib/svg_sentinel/errors.rb,
lib/svg_sentinel/policy.rb,
lib/svg_sentinel/result.rb,
lib/svg_sentinel/finding.rb,
lib/svg_sentinel/scanner.rb,
lib/svg_sentinel/version.rb,
lib/svg_sentinel/sanitizer.rb,
lib/svg_sentinel/structure_listener.rb
Overview
SvgSentinel lints untrusted SVG before you render or embed it. It flags the constructs that make SVG dangerous - scripts, event handlers, javascript: URIs, foreign objects, external references, and XXE via DOCTYPE or ENTITY - and, in its strict profile, the extras that a brand-mark logo (BIMI-style) must not contain, such as animation and raster images.
result = SvgSentinel.scan(svg_string)
result.safe? # => false
result.findings # => [#<Finding code=:script_element severity=:critical ...>]
Findings are re-rated for a rendering context (:inline by default, or :img / :css_background where a browser runs SVG without scripting). To clean rather than reject, use SvgSentinel.sanitize, which rewrites the SVG or returns nil when the threat is structural and cannot be safely rewritten.
Defined Under Namespace
Modules: Rules, Sarif Classes: CLI, Config, ConfigError, Error, Finding, Policy, Result, Sanitizer, Scanner, StructureListener
Constant Summary collapse
- VERSION =
"0.1.0"
Class Method Summary collapse
-
.safe?(svg, **options) ⇒ Boolean
Convenience predicate: true when the SVG has no critical findings.
-
.sanitize(svg, **options) ⇒ Object
Rewrite an SVG into a safe one.
-
.scan(svg, **options) ⇒ Object
Scan an SVG string and return a Result.
Class Method Details
.safe?(svg, **options) ⇒ Boolean
Convenience predicate: true when the SVG has no critical findings.
39 40 41 |
# File 'lib/svg_sentinel.rb', line 39 def safe?(svg, **) scan(svg, **).safe? end |
.sanitize(svg, **options) ⇒ Object
Rewrite an SVG into a safe one. Returns cleaned SVG as a String, or nil when the input carries a structural threat that cannot be rewritten (DTD/XXE, use bomb, oversize, malformed, non-
47 48 49 |
# File 'lib/svg_sentinel.rb', line 47 def sanitize(svg, **) Sanitizer.new(**).sanitize(svg) end |
.scan(svg, **options) ⇒ Object
Scan an SVG string and return a Result. Options are passed through to Scanner: profile (:strict or :general), allow_external, allow_data_uri, max_bytes (soft brand-mark warning), hard_max_bytes (hard refuse-to-parse cap), max_depth / max_nodes / max_attributes (structural limits), context (:inline, :standalone, :img, :css_background), severity_overrides, disabled.
34 35 36 |
# File 'lib/svg_sentinel.rb', line 34 def scan(svg, **) Scanner.new(**).scan(svg) end |