unjs
feat: sanetize svg files
Input is usually considered safe from local sources and whitelist domains but if an attacker somehow manages to bypass these, they can potentially use xss on svg files are are served as is. This enhancement tries to restrict this and make ipx secure out of the box even if a (trusted) source can contain bad data.
Try:
- Switch to branch
- Run
yarn dev - Open http://localhost:3000/_/xss.svg
Codecov Report
Merging #82 (50c8676) into main (13cb53d) will decrease coverage by
0.24%. The diff coverage is16.66%.
:exclamation: Current head 50c8676 differs from pull request most recent head f2e6384. Consider uploading reports for the commit f2e6384 to get more accurate results
@@ Coverage Diff @@
## main #82 +/- ##
==========================================
- Coverage 59.17% 58.92% -0.25%
==========================================
Files 10 10
Lines 779 784 +5
Branches 43 43
==========================================
+ Hits 461 462 +1
- Misses 318 322 +4
| Impacted Files | Coverage Δ | |
|---|---|---|
| src/ipx.ts | 81.71% <16.66%> (-1.82%) |
:arrow_down: |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Doing it via svgo https://github.com/unjs/ipx/pull/180. xss package is really unreliable for svg sources.