Emojis are meant to be static, not interactive. And even if someone wants animated emojis, they can simply use CSS instead of JS.
This should be deny-by-default, but it'll be warn-by-default, for the sake of convenience. Users could add a rule to their config to omit inlining SVGs that contain JS. Another opt-in rule would completely forbid any inlining altogether if any SVG has JS, and force the user to remove it from the defs file.
In the special-case that the script is pure whitespace (or an empty string), it'll be considered as non-existent, for convenience (again)
Emojis are meant to be static, not interactive. And even if someone wants animated emojis, they can simply use CSS instead of JS.
This should be deny-by-default, but it'll be warn-by-default, for the sake of convenience. Users could add a rule to their config to omit inlining SVGs that contain JS. Another opt-in rule would completely forbid any inlining altogether if any SVG has JS, and force the user to remove it from the defs file.
In the special-case that the
scriptis pure whitespace (or an empty string), it'll be considered as non-existent, for convenience (again)