A small, dependency-light Ruby tool for untrusted SVG. It flags the things that make SVG dangerous to render or embed: scripts, event handlers, javascript: URIs, external references (including inside CSS), scriptable data: URIs, foreign objects, XXE via DOCTYPE or ENTITY declarations, and nested- render bombs. It can also sanitize - rewrite an SVG into a safe one - and re-rates findings for the rendering context (inline vs <img>). Normalises encoding, caps size, and bounds structural shape on a streaming pass so it is safe to point at hostile input. Ships a strict allowlist profile for brand-mark logos (BIMI-style), a general profile, YAML config, and a CLI with CI-friendly exit codes and SARIF output. Pure Ruby, parses with REXML, no native extensions.
Required Ruby Version
>= 3.1.0
Authors
Suleyman Musayev
Versions
- 0.1.0 July 13, 2026 (24.5 KB)