Strip <script> tags, event handlers (onload=...), external references, and other potentially dangerous constructs
Maybe a strict allowlist of elements/attributes when --css injection is enabled
Add a --strict mode that refuses unsafe SVGs and a --sanitize mode that cleans them
Strip <script> tags, event handlers (onload=...), external references, and other potentially dangerous constructs
Maybe a strict allowlist of elements/attributes when --css injection is enabled
Add a --strict mode that refuses unsafe SVGs and a --sanitize mode that cleans them