Svg.svelte

Renders an SvgData icon definition to inline svg markup, never via @html.

Security

SvgData is rendered structurally into a fixed element set - svg, defs, linearGradient/radialGradient, stop, and path. None of these expose a navigation or script sink (no src or foreignObject, and a gradient href only references another gradient as a template, never a document location), and Svelte routes on* spread keys through addEventListener rather than writing inline handler attributes. So even an untrusted SvgData cannot introduce script execution or navigation - which is why the data is rendered through typed fields (paths, gradients) instead of a raw-markup escape hatch.

The one residual: a style value (data.style, a path's style, or a gradient's attrs.style) can still issue network requests via url(...), so sanitize styles if you render untrusted data and that matters. Per-instance svg attributes come from this component's own props, not from data.

view source

Declarations
#

Svg
#

Svg.svelte view source

accepts children

import Svg from '@fuzdev/fuz_ui/Svg.svelte';

`height?`

type string

optional

`width?`

type string

optional

`fill?`

type string

optional

`data`

type SvgData

`size?`

Sets both the width and height of the svg. Overridden by the width and height props.

type string

optional default 'var(--font_size, auto)'

`label?`

type string

optional

`inline?`

Renders the SVG as an inline block with spacing appropriate for text. Defaults to false.

type boolean

optional

`shrink?`

type boolean

optional default true

intersects

SvelteHTMLElements['svg']

Depends on
#

svg.ts