fix(svgo): handle javascript uris in removexss plugin

[SethFalco]

🔗 Linked issue

N/A

❓ Type of change

• [ ] 📖 Documentation (updates to the documentation, readme, or JSdoc annotations)
• [x] 🐞 Bug fix (a non-breaking change that fixes an issue)
• [ ] 👌 Enhancement (improving an existing functionality like performance)
• [ ] ✨ New feature (a non-breaking change that adds functionality)
• [ ] 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

The removeXSS plugin for SVGO was missing one of the possible ways to execute scripts. SVGs href attributes, regardless of namespace, can contain JavaScript URIs, which the client will execute.

I recently updated the SVGO removeScriptElement plugin to handle this. When v3.0.3 is released, you'll no longer need to maintain the removeXSS plugin, and can instead opt for the removeScriptElement plugin. This plugin is due to be renamed to removeScripts.

Documentation: https://svgo.dev/docs/plugins/remove-scripts/

I'm not sure when v3.0.3 can be released, so it's probably worth updating the plugin already. Once v3.0.3 is released, I'd be happy to open another PR to help with migrating over to it and dropping removeXSS.

Reference: https://github.com/svg/svgo/pull/1664#issuecomment-1793440427

Chores

I also did the following chores:

• Sorts and removes duplicates from the list of events.
• Adds onzoom event, which is included in the list of events in SVGO.

📝 Checklist

• N/A I have linked an issue or discussion.
• N/A I have updated the documentation accordingly.

[codecov[bot]]

Codecov Report

Merging #186 (dff8cd9) into main (5980f4e) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #186   +/-   ##
=======================================
  Coverage   54.01%   54.01%           
=======================================
  Files          11       11           
  Lines        1083     1083           
  Branches       45       45           
=======================================
  Hits          585      585           
  Misses        498      498           

[pi0]

https://github.com/unjs/ipx/releases/tag/v2.0.1

Looking forward for svgo next release!