Skip to main content

removeScriptElement

Removes all scripts from the document.

SVGs can be interactive through JavaScript. However, unless the SVG is coming from a trusted source, it's strongly advised to strip off JavaScript to avoid XSS attacks.

caution

This will break interactive SVGs that rely on JavaScript.

This plugin performs the following operations:

  • Removes <script> elements.
  • Removes SVG event attributes, such as onload, onclick, and oninput, preserving the element itself.
  • Collapses <a> elements, moving children up to the parent element.

Usage

svgo.config.js
module.exports = {
  plugins: [
    "removeScriptElement"
  ]
}

Demo

Live Editor
const svg = `
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox=" 0 0  150 100 " width="150">
  <!-- Created with love! -->
  <defs>
    <ellipse cx="50" cy="50.0" rx="50.00" ry="auto" fill="black" id="circle"/>
  </defs>
  <g>
    <use href="#circle" transform="skewX(16)"/>
    <rect id="useless" width="0" height="0" fill="#ff0000"/>
  </g>
</svg>
`;

const svgoConfig = {
  js2svg: { indent: 2, pretty: true },
  plugins: [
    "removeScriptElement"
  ]
}

render(<SvgoPreview svg={svg} svgoConfig={svgoConfig}/>);
Result
Loading...
On this page
Read the implementation
Edit this page on GitHub