Merge pull request #2 from bitstarr/develop

Security and a11y

blueprints.yaml

@@ -1,5 +1,5 @@
 name: 'SVG Extension'
-version: 1.0.1
+version: 1.0.2
 description: 'Inline SVG in Twig Templates'
 icon: picture-o
 author:
@@ -27,4 +27,10 @@ form:
       type: text
       label: Default CSS classes
       validate:
-        required: true
+        required: true
+    removeScriptTags:
+      type: toggle
+      label: remove script tags from SVG
+      default: 1
+      validate:
+        type: bool

svg-extension.php

@@ -229,16 +229,24 @@ protected function createHtml(string $svgString, ?string $classes): string
             $svgNodeInDocument->setAttribute('class', trim(implode(' ', $classes)));
         }
 
+        if ($this->config->get('plugins.svg-extension.removeScriptTags')) {
+            $scriptTags = $svgNodeInDocument->getElementsByTagName('script');
+
+            foreach ($scriptTags as $scriptTag) {
+                $scriptTag->parentNode->removeChild($scriptTag);
+            }
+        }
+
         if ($this->options['title']) {
             $attId = uniqid('icon__title--');
             $titleTag = $svgDomDoc->createElement('title', $this->options['title']);
             $titleTag->setAttribute('id', $attId);
             $svgNodeInDocument->appendChild($titleTag);
-            $svgNodeInDocument->setAttribute('role', 'image');
+            $svgNodeInDocument->setAttribute('role', 'img');
             $svgNodeInDocument->setAttribute('aria-labelledby', $attId);
         }
         else {
-            $svgNodeInDocument->setAttribute('role', 'presentation');
+            $svgNodeInDocument->setAttribute('role', 'img');
             $svgNodeInDocument->setAttribute('aria-hidden', 'true');
         }
 

svg-extension.yaml

@@ -1,3 +1,4 @@
 enabled: true
 path: 'theme://dist/icons/'
-defaultClass: 'icon'
+defaultClass: 'icon'
+removeScriptTags: true