New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/active-static-asset

A browser-reachable SVG that contains a `<script>` tag or `on*` event handler runs that code in your origin when someone opens it, which can lead to cross-site scripting.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: browser-reachable `.svg` assets (public/, dist/assets, .next/static, out/, generated bundles, .map) for the executable-SVG branch; production source (.js/.ts/.tsx) and config/CI files (next.config, vercel.json, Dockerfile, workflow YAML, netlify.toml) for the config/embed branch; server build output (.next/server, .output/server) skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Two detection branches. (1) For a .svg file that is browser-reachable (under public/, dist/assets/, .next/static/, out/, a generated bundle, or a .map), it fires when the SVG body contains a <script tag or an inline on{load,error,click,mouseover}= event handler — an executable SVG that runs script when opened same-origin (escalated to an error-level finding). (2) For production source (.js/.ts/.tsx) or config/CI files, it fires on the literal dangerouslyAllowSVG: true or an <object|embed|iframe> whose data/src points at a .svg file. FALSE POSITIVE to suppress: a first-party, fully-trusted SVG you author whose script/handlers are intentional and never mixed with user-uploaded SVGs, or a dangerouslyAllowSVG: true config where every served SVG is sanitized/first-party and the response already sets an attachment disposition and a script-blocking CSP.

Fix prompt

Use this once validation confirms the diagnostic is real.

Serve SVGs as inert images: reference them with <img src=...> instead of <object>, <embed>, or <iframe>, so embedded scripts and handlers never run. If you must serve raw SVG, sanitize it first (for example DOMPurify with the SVG profile) to strip <script> and on* handlers, deliver it from a cookieless origin with Content-Disposition: attachment, and set a Content-Security-Policy that blocks script-src and object-src. Avoid dangerouslyAllowSVG: true in Next image config unless every SVG is first-party and sanitized.