@mattkrick/sanitize-svg - npm Package Compare versions

Comparing version 0.3.1 to 0.4.0

dist/lib/sanitizeSVG.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+const svgDisallowed = [
+    'a',
+    'animate',
+    'color-profile',
+    'cursor',
+    'discard',
+    'fedropshadow',
+    'font-face',
+    'font-face-format',
+    'font-face-name',
+    'font-face-src',
+    'font-face-uri',
+    'foreignobject',
+    'hatch',
+    'hatchpath',
+    'mesh',
+    'meshgradient',
+    'meshpatch',
+    'meshrow',
+    'missing-glyph',
+    'script',
+    'set',
+    'solidcolor',
+    'unknown',
+    'use'
+];
 const getWindow = () => (typeof window === 'undefined' ? null : window);
@@ -27,11 +53,11 @@ const readAsText = (svg) => new Promise((resolve) => {
         throw new Error('Image corrupt');
-    const div = window.document.createElement('div');
-    div.innerHTML = svgText;
-    const svgEl = div.firstElementChild;
+    const playground = window.document.createElement('template');
+    playground.innerHTML = svgText;
+    const svgEl = playground.content.firstElementChild;
     const attributes = Array.from(svgEl.attributes).map(({ name }) => name);
     const hasScriptAttr = !!attributes.find((attr) => attr.startsWith('on'));
-    const scripts = svgEl.getElementsByTagName('script');
-    return scripts.length === 0 && !hasScriptAttr ? svg : null;
+    const disallowedSvgElements = svgEl.querySelectorAll(svgDisallowed.join(','));
+    return disallowedSvgElements.length === 0 && !hasScriptAttr ? svg : null;
 };
 exports.default = sanitizeSVG;
 //# sourceMappingURL=sanitizeSVG.js.map

package.json

 {
   "name": "@mattkrick/sanitize-svg",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "description": "a small script to remove script tags from SVGs",
@@ -5,0 +5,0 @@ "keywords": [

No alert changes

Improved metrics

Total package byte prevSize

8355

increased by10.87%

Lines of code

66

increased by65%

No dependency changes