{"id":31225915,"url":"https://github.com/borewit/svg-sanitizer","last_synced_at":"2025-09-22T02:00:04.560Z","repository":{"id":281926546,"uuid":"946888901","full_name":"Borewit/svg-sanitizer","owner":"Borewit","description":"SVG Sanitizer, preventing XSS","archived":false,"fork":false,"pushed_at":"2025-09-08T12:48:05.000Z","size":151,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-09-21T21:00:50.615Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Borewit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"Borewit","buy_me_a_coffee":"borewit"}},"created_at":"2025-03-11T20:43:46.000Z","updated_at":"2025-08-21T12:30:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"10ad56b4-c659-4f1e-9c87-8b29bddddbe2","html_url":"https://github.com/Borewit/svg-sanitizer","commit_stats":null,"previous_names":["borewit/svg-sanitizer"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/Borewit/svg-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Borewit%2Fsvg-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Borewit%2Fsvg-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Borewit%2Fsvg-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Borewit%2Fsvg-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Borewit","download_url":"https://codeload.github.com/Borewit/svg-sanitizer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Borewit%2Fsvg-sanitizer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276333934,"owners_count":25624049,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-21T02:00:07.055Z","response_time":72,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-22T02:00:01.706Z","updated_at":"2025-09-22T02:00:04.548Z","avatar_url":"https://github.com/Borewit.png","language":"Java","funding_links":["https://github.com/sponsors/Borewit","https://buymeacoffee.com/borewit"],"categories":[],"sub_categories":[],"readme":"[![CI](https://github.com/Borewit/svg-sanitizer/actions/workflows/ci.yml/badge.svg)](https://github.com/Borewit/svg-sanitizer/actions/workflows/ci.yml)\n[![Maven Central](https://img.shields.io/maven-central/v/io.github.borewit/svg-sanitizer)](https://central.sonatype.com/artifact/io.github.borewit/svg-sanitizer)\n[![javadoc](https://javadoc.io/badge2/io.github.borewit/svg-sanitizer/javadoc.svg)](https://javadoc.io/doc/io.github.borewit/svg-sanitizer)\n\n# SVG Sanitizer\n\n**SVG Sanitizer** is a Java library designed to clean [SVG files](https://en.wikipedia.org/wiki/SVG) by removing potentially dangerous JavaScript, blocking\nexternal resource loading, and preventing [XSS (Cross-Site Scripting)](https://owasp.org/www-community/attacks/xss/) vulnerabilities. It is useful for ensuring that SVG\nfiles are safe to use in a variety of applications, including web environments.\n\n## Features\n\n* Removes JavaScript from SVG files, including inline event handlers and `\u003cscript\u003e` tags.\n* Blocks loading of external resources, including href and xlink:href attributes pointing to external URLs.\n* Prevents XSS vulnerabilities by sanitizing dangerous elements and attributes.\n* Can be integrated easily into Java projects as a library.\n* Can handle huge SVG files, as the SVG is sanitized in a streaming manner\n\n## Usage\n\n### Maven Dependency\n\nTo use the SVG Sanitizer in your Java project, include the [**io.github.borewit:svg-sanitizer** Maven dependency](https://central.sonatype.com/artifact/io.github.borewit/svg-sanitizer).\n\n```java\npublic class SVGSanitizerExample {\n  public static void main(String[] args) {\n    String dirtySvgContent = \"\"\"\n      \u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"400\" height=\"400\" viewBox=\"0 0 124 124\" fill=\"none\"\u003e\n        \u003crect width=\"124\" height=\"124\" rx=\"24\" fill=\"#000000\"/\u003e\n          \u003cscript type=\"text/javascript\"\u003e\n            alert(0x539);\n         \u003c/script\u003e\n      \u003c/svg\u003e\"\"\";\n    try {\n      String sanitizedSvg = SVGSanitizer.sanitize(dirtySvgContent);\n      System.out.println(sanitizedSvg);\n    } catch (Exception e) {\n      e.printStackTrace();\n    }\n  }\n}\n```\nWhich will output the sanitized SVG:\n```xml\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" fill=\"none\" height=\"400\" viewBox=\"0 0 124 124\" width=\"400\"\u003e\n    \u003crect fill=\"#000000\" height=\"124\" rx=\"24\" width=\"124\"/\u003e\n\u003c/svg\u003e\n```\n\nSanitize from `InputStream` to `OutputStream`:\n```java\nimport java.io.*;\n\npublic class SVGSanitizerExample {\n  public static void main(String[] args) throws Exception {\n    File inputFile = new File(\"unsafe.svg\");\n    File outputFile = new File(\"sanitized.svg\");\n\n    try (InputStream inputStream = new FileInputStream(inputFile)) {\n         try (OutputStream outputStream = new FileOutputStream(outputFile)) {\n            SVGSanitizer.sanitize(inputStream, outputStream);\n          }\n    }\n\n    System.out.println(\"Sanitized SVG has been saved to \" + outputFile.getAbsolutePath());\n  }\n}\n```\n\nSanitize from `InputStream` to `InputStream`:\n```java\nimport java.io.*;\nimport javax.xml.parsers.DocumentBuilder;\nimport javax.xml.parsers.DocumentBuilderFactory;\nimport org.w3c.dom.Document;\n\npublic class SVGSanitizerExample {\n  public static void main(String[] args) throws Exception {\n    File inputFile = new File(\"unsafe.svg\"); // Potentially unsafe SVG file\n\n    try (InputStream inputStream = new FileInputStream(inputFile);\n         InputStream sanitizedStream = SVGSanitizer.sanitize(inputStream)) {\n\n      // Pass the sanitized stream to an XML parser (without converting it to a String)\n      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n      DocumentBuilder builder = factory.newDocumentBuilder();\n      Document doc = builder.parse(sanitizedStream);\n\n      System.out.println(\"SVG file successfully parsed after sanitization.\");\n    }\n  }\n}\n```\n\n### Available Methods\n\n```java\npublic static String sanitize(String svgContent)\n```\nThis method should only be used if loading the entire SVG in memory, is not a problem.\n\n```java\npublic static void sanitize(InputStream inputStream, OutputStream outputStream)\n```\nWrites the sanitized SVG to the given outputStream\n\n```java\npublic static InputStream sanitize(InputStream inputStream)\n```\nActs as a filter, returning a new `InputStream` with the sanitized SVG.\n\n## Security considerations\nUser-uploaded SVGs can contain malicious content that may be executed in a browser context. Sanitizing SVGs is an important step, but should be combined with other measures for full protection.\nSee [SVG security best practices](SVG-security-best-practices.md) for a broader overview.\n\n## License\nThis project is licensed under the [MIT License](LICENSE.txt)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fborewit%2Fsvg-sanitizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fborewit%2Fsvg-sanitizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fborewit%2Fsvg-sanitizer/lists"}