Closed SethFalco closed 8 months ago
Merging #186 (dff8cd9) into main (5980f4e) will not change coverage. The diff coverage is
n/a
.
@@ Coverage Diff @@
## main #186 +/- ##
=======================================
Coverage 54.01% 54.01%
=======================================
Files 11 11
Lines 1083 1083
Branches 45 45
=======================================
Hits 585 585
Misses 498 498
https://github.com/unjs/ipx/releases/tag/v2.0.1
Looking forward for svgo next release!
๐ Linked issue
N/A
โ Type of change
๐ Description
The
removeXSS
plugin for SVGO was missing one of the possible ways to execute scripts. SVGshref
attributes, regardless of namespace, can contain JavaScript URIs, which the client will execute.I recently updated the SVGO
removeScriptElement
plugin to handle this. When v3.0.3 is released, you'll no longer need to maintain theremoveXSS
plugin, and can instead opt for theremoveScriptElement
plugin. This plugin is due to be renamed toremoveScripts
.Documentation: https://svgo.dev/docs/plugins/remove-scripts/
I'm not sure when v3.0.3 can be released, so it's probably worth updating the plugin already. Once v3.0.3 is released, I'd be happy to open another PR to help with migrating over to it and dropping
removeXSS
.Reference: https://github.com/svg/svgo/pull/1664#issuecomment-1793440427
Chores
I also did the following chores:
onzoom
event, which is included in the list of events in SVGO.๐ Checklist