Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@iconfu/svg-inject
Advanced tools
A tiny, intuitive, robust, caching solution for injecting SVG files inline into the DOM.
Developed and maintained by INCORS, the creators of iconfu.com.
SVGInject replaces an <img>
element with an inline SVG. The SVG is loaded from the URL specified in the src
attribute of the <img>
element.
Element before injection:
<img src="image.svg" onload="SVGInject(this)" />
Element after injection (SVG loaded from image.svg):
<svg version="1.1" ...> ... </svg>
An SVG can only be properly styled with CSS and accessed with Javascript on element level if the SVG is inline in the DOM. With SVGInject you can keep your SVGs as individual files, but still access them with CSS and Javascript.
Include the SVGInject Javascript file in the <head>
element of the HTML document, or anywhere before the first usage of SVGInject
<head>
...
<script src="svg-inject.min.js"></script>
...
</head>
Download plain version (v1.2.3): svg-inject.js
Download minified version (v1.2.3): svg-inject.min.js
If you are using npm
$ npm install @iconfu/svg-inject
If you are using Yarn
$ yarn add @iconfu/svg-inject
onload
attributeAdd onload="SVGInject(this)"
to any <img>
element where you want the SVG to be injected.
For most use cases this approach is recommended and provides nice advantages.
<html>
<head>
<script src="svg-inject.min.js"></script>
</head>
<body>
<img src="image1.svg" onload="SVGInject(this)" />
<img src="image2.svg" onload="SVGInject(this)" />
</body>
</html>
<html>
<body>
<img src="image1.svg" class="injectable" />
<img src="image2.svg" class="injectable" />
<script src="svg-inject.min.js"></script>
<script>
SVGInject(document.querySelector("img.injectable"));
</script>
</body>
</html>
Hooray :tada: - The SVGs get injected and are styleable!!!
Wide browser support: Works on all browsers supporting SVG. Yes, this includes Internet Explorer 9 and higher! (full list)
Fallback without Javascript: If Javascript is not available the SVG will still show. It's just not styleable with CSS.
Fallback if image source is not available: Behaves like a normal <img>
element if file not found or not available.
Prevention of ID conflicts: IDs in the SVG are made unique before injection to prevent ID conflicts in the DOM.
onload
?The recommended way to trigger injection is to call SVGInject(this)
inside the onload
attribute:
<img ... onload="SVGInject(this)" />
This provides additional advantages:
Intuitive usage: Insert SVG images into HTML code just as PNG images, with only one additional instruction. It's very clear to understand what it does by looking at the pure HTML.
Works with dynamic content: If <img>
elements are added dynamically, injection still works.
Built-in prevention of unstyled image flash: SVGInject hides <img>
elements until injection is complete, thus preventing a brief flicker of the unstyled image (called unstyled image flash).
Early injection: The injection can already start before the DOM content is fully loaded.
Standard-conform: The onload
event handler on <img>
elements has long been supported by all browsers and is officially part of the W3C specification since HTML5.0.
If you do not want to use the onload
attribute but prefer to inject SVGs directly from Javascript, you can find more information here.
SVGInject is intended to work in production environments however it has a few limitations you should be aware of:
All attributes are copied from the <img>
element to the injected <svg>
element before injection with the following exceptions:
src
, title
, alt
, onerror
and onload
attributes are not copiedtitle
attribute is transformed to a <title>
element and inserted as the first child element of the injeted SVG. If there is an existing <title>
element as first child element it gets replaced.You can disable the previously described attribute handling by setting the copyAttributes
option to false
. You may also implement your own attribute handling in the beforeInject
options hook.
Additionally, after loading the SVG, the value of the src
attribute of the <img>
element is transformed to an absolute URL and inserted as a data-inject-url
attribute.
Function | Description |
---|---|
SVGInject(img, options) | Injects the SVG specified in the src attribute of the specified img element or array of elements. The optional second parameter sets the options for this injection. Returns a Promise object which resolves if all passed in img elements have either been injected or failed to inject (Only if a global Promise object is available like in all modern browsers or through a Promise Polyfill). |
SVGInject.setOptions(options) | Sets the default options for SVGInject. |
SVGInject.err(img, fallbackSrc) | Used in onerror event of an <img> element to handle cases when loading of the original source fails (for example if the file is corrupt or not found or if the browser does not support SVG). This triggers a call to the option's onFail hook if available. The optional second parameter will be set as the new src attribute for the img element. |
Property name | Type | Default | Description |
---|---|---|---|
useCache | boolean | true | If set to true the SVG will be cached using the absolute URL. The cache only persists for the lifetime of the page. Without caching images with the same absolute URL will trigger a new XMLHttpRequest but browser caching will still apply. |
copyAttributes | boolean | true | If set to true attributes will be copied from the img to the injected svg element. You may implement your own method for copying attributes in the beforeInject options hook. |
makeIdsUnique | boolean | true | If set to true all IDs of elements in the SVG are made unique by appending the string "--inject-X", where X is a running number which increases with each injection. This is done to avoid duplicate IDs in the DOM. If set to false , all IDs within the SVG will be preserved. |
beforeLoad | function(img) | undefined | Hook before SVG is loaded. The img element is passed as a parameter. If the hook returns a string it is used as the URL instead of the img element's src attribute. |
afterLoad | function(svg, svgString) | undefined | Hook after SVG is loaded. The loaded svg element and svgString string are passed as a parameters. If caching is active this hook will only get called once for injected SVGs with the same absolute path. Changes to the svg element in this hook will be applied to all injected SVGs with the same absolute path. It's also possible to return an new SVG string or SVG element which will then be used for later injections. |
beforeInject | function(img, svg) | undefined | Hook directly before the SVG is injected. The img and svg elements are passed as parameters. The hook is called for every injected SVG. If an Element is returned it gets injected instead of applying the default SVG injection. |
afterInject | function(img, svg) | undefined | Hook after SVG is injected. The img and svg elements are passed as parameters. |
onAllFinish | function() | undefined | Hook after all img elements passed to an SVGInject() call have either been injected or failed to inject. |
onFail | function(img, status) | undefined | Hook after injection fails. The img element and a status string are passed as an parameter. The status has one of the values: 'SVG_NOT_SUPPORTED' - the browser does not support SVG, 'SVG_INVALID' - the SVG is not in a valid format or 'LOAD_FAIL' - loading of the SVG failed. If SVGInject is used with the onload attribute, onerror="SVGinject.err(this)" must be added to the <img> element to make sure onFail is called. |
Before an SVG is injected the original unstyled SVG may be displayed for a brief moment by the browser. If a style is already applied to the SVG at runtime, the styled SVG will look different from the unstyled SVG, causing a brief “flashing” of the unstyled SVG before injection occurs. We call this effect unstyled image flash.
If SVGInject is used with the onload
attribute, SVGInject has a built-in functionality to prevent unstyled image flash. A <style>
element with one CSS rule is added to the document to hide all injectable <img>
elements until injection is complete.
When using Javascript directly SVGInject has no build in functionality to prevent unstyled image flash. You can find a custom solution for this in the example for using SVGInject without the onload
attribute.
Instead of using the onload
attribute on the <img>
element you can also call SVGInject directly from Javascript.
Examples:
// inject by class name
SVGInject(document.getElementsByClassName('myClassName'));
// inject by id
SVGInject(document.getElementById('myId'));
You need to make sure the images are already inside the DOM before injection like this:
document.addEventListener('DOMContentLoaded', function() {
// call SVGInject() from here
});
If you dynamically insert new <img>
elements you need to call SVGInject()
on these elements after their insertion.
If the browser does not support SVG (IE8 and IE7), this simple fallback solution replaces the src
attribute with an alternative image URL.
<img src="image.svg" onload="SVGInject(this)" onerror="SVGInject.err(this, 'image.png')" />
More detailed information on implementing fallback solutions for old browsers can be found on our Fallback solutions WIki page.
Here are some examples which cover the most common use cases.
This is the standard usage of SVGInject which works on all modern browsers, and IE9+.
<html>
<head>
<script src="svg-inject.min.js"></script>
</head>
<body>
<img src="image1.svg" onload="SVGInject(this)" />
<img src="image2.svg" onload="SVGInject(this)" />
</body>
</html>
options
This example shows how to use SVGInject with multiple options.
<html>
<head>
<script src="svg-inject.min.js"></script>
<script>
SVGInject.setOptions({
useCache: false, // no caching
copyAttributes: false, // do not copy attributes from `<img>` to `<svg>`
makeIdsUnique: false, // do not make ids used within the SVG unique
afterLoad: function(svg, svgString) {
// add a class to the svg
svg.classList.add('my-class');
},
beforeInject: function(img, svg) {
// wrap SVG in a div element
var div = document.createElement('div');
div.appendChild(svg);
return div;
},
afterInject: function(img, svg) {
// set opacity
svg.style.opacity = 1;
},
onFail: function(img) {
// set the image background red
img.style.background = 'red';
}
});
</script>
</head>
<body>
<img src="image.svg" onload="SVGInject(this)" onerror="SVGInject.err(this)" />
</body>
</html>
onload
attributeThis example shows how to use SVGInject directly from Javascript without the onload
attribute. After the DOM content has loaded, SVGInject is called on all elements with class injectable
. It also implements a method to prevent unstyled image flash.
<html>
<head>
<script src="svg-inject.min.js"></script>
<!-- hide images until injection has completed or failed -->
<style>
/* hide all img elements until the svg is injected to prevent "unstyled image flash" */
img.injectable {
visibility: hidden;
}
</style>
<script>
SVGInject.setOptions({
onFail: function(img, svg) {
// if injection fails show the img element
img.classList.remove('injectable');
}
});
document.addEventListener('DOMContentLoaded', function() {
// inject images with an .svg file ending
SVGInject(document.querySelectorAll('img.injectable'), {
onAllFinish: function() {
// the SVG injection has finished for all three images
}
});
});
</script>
</head>
<body>
<img src="image_1.svg" class="injectable" />
<img src="image_2.svg" class="injectable" />
<img src="image_3.svg" class="injectable" />
</body>
</html>
Full support for all modern browsers, and IE9+ (full list)
Support for legacy browsers with optional PNG fallback method
FAQs
simple bulletproof svg injector
We found that @iconfu/svg-inject demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.