brandkit sanitize
Remove security threats from SVG files.
Synopsis
Description
Remove security threats from an SVG file while preserving valid content. By default, all threat types are removed. Use flags to selectively remove specific threat types.
Flags
| Flag | Description |
|---|---|
-o, --output |
Output file path (required) |
--remove-all |
Remove all threat types (default: true) |
--remove-scripts |
Remove script elements only |
--remove-event-handlers |
Remove event handler attributes only |
--remove-external-refs |
Remove external URLs only |
-h, --help |
Help for sanitize |
Examples
Remove all threats:
In-place sanitization (overwrites original):
Remove only scripts:
Remove only event handlers:
What Gets Removed
--remove-all (default)
Removes all detected threats:
| Category | Elements Removed |
|---|---|
| Scripts | <script> tags, javascript: URIs, vbscript: URIs |
| Event Handlers | onclick, onload, onerror, onmouseover, etc. |
| External Refs | href="http://...", xlink:href, foreignObject |
--remove-scripts
<script>elements (inline and external)- Self-closing
<script/>tags javascript:URI schemesvbscript:URI schemesdata:text/htmlURIs
--remove-event-handlers
- All
on*attributes:onclick,onload,onerror,onmouseover, etc. - Both quoted and unquoted attribute values
- Handles nested quotes correctly
--remove-external-refs
href="http://..."andhref="https://..."xlink:hrefwith external URLs<foreignObject>elementsurl(http://...)in style attributes- External
<use>references
Output
The sanitized SVG maintains:
- Valid SVG structure
- Internal ID references (
#id) - Local file references
- Inline styles (unless containing threats)
- All visual elements
Verification
After sanitization, verify the result:
Batch Processing
Sanitize all SVG files in a directory:
Or using Make:
See Also
- security-scan — Scan for security threats
- Security Guide — Full security documentation
- Sanitization — Detailed sanitization docs