716c8384d9
SVG containers carry text that is invisible in the rendered image but fully parsed by an agent reading the source. <desc>, <title>, <metadata>, and <foreignObject> are all valid surfaces for adversarial injection. Adds a per-element extractor inside the existing HTML-tag gate, gated on /<svg[\s>]/i so it only fires for actual SVG content. Inner text is HTML-entity-decoded then run through scanForInjection. Emits at the strongest tier with category svg-element-injection. +3 tests (62 → 65). Refs: Batch B Wave 4 / Step 10 / v7.2.0 |
||
|---|---|---|
| .. | ||
| fixtures | ||
| helpers | ||
| hooks | ||
| lib | ||
| scanners | ||