MCPcopy Index your code
hub / github.com/cloudflare/svg-hush

github.com/cloudflare/svg-hush @0.9.5

Chat with this repo
repository ↗ · DeepWiki ↗ · release 0.9.5 ↗ · + Follow
25 symbols 45 edges 8 files 11 documented · 44% updated 2mo ago0.9.5 · 2025-02-21★ 424
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

svg-hush

The goal of this tool is to make arbitrary SVG files as benign and safe to serve as images in other common Web file formats. SVG files aren't just images, they're documents with full access to all HTML and JavaScript features. This tool filters SVG files to remove use of any potentially risky features.

  • Removes scripting. Prevents SVG files from being used for cross-site scripting attacks. Although browsers don't allow scripts in <img>, they do allow scripting when SVG files are opened directly as a top-level document.

  • Removes hyperlinks to documents on other domains. Makes SVG files less attractive for SEO spam and phishing.

  • Removes references to cross-origin resources. Stops 3rd parties from tracking who is viewing the image.

This tool removes any elements and attributes that aren't in its allowlist and filters all URLs to be same-origin only (paths without a host name). It may break some SVG images. Please file a bug when you find an image that is filtered too harshly!

This tool might make SVG files smaller by removing unnecessary junk from them, but it's not meant to be an SVG optimizer. It's safe to combine svg-hush with SVG optimization tools.

Sanitization vs CSP

Regardless of this filtering, it's best to serve SVG images with a restrictive Content-Security-Policy. This tool is a defense-in-depth for cases where the CSP header may be unsupported, lost, or bypassed (e.g. due to server/CMS misconfiguration or a ServiceWorker that doesn't forward headers).

Known limitations

  • Legacy text encodings are not supported. UTF-8, UTF-16, and latin1 are supported.
  • DOCTYPEs referencing external DTD files are not allowed. Internal subset is supported.
  • The lax SVG-in-HTML syntax dialect is not supported. SVG documents must be well-formed XML and use the SVG namespace.

Core symbols most depended-on inside this repo

filter
called by 7
src/lib.rs
set_data_url_filter
called by 6
src/lib.rs
filtered_url_func
called by 3
src/lib.rs
filter_url
called by 2
src/lib.rs
usage
called by 1
src/main.rs
is_allowed_element
called by 1
src/lib.rs
filter_attribute
called by 1
src/lib.rs
filter_data_url
called by 1
src/lib.rs

Shape

Method 11
Function 9
Enum 4
Class 1

Languages

Rust100%

Modules by API surface

src/lib.rs19 symbols
tests/tests.rs2 symbols
src/main.rs2 symbols
src/data_url_filter.rs2 symbols

For agents

$ claude mcp add svg-hush \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page