SVG JavaScript test
This repository tests whether JavaScript inside an SVG is executed when the file is embedded in different contexts, especially in a Gitea README or comment.
The SVG contains a clock that updates every second. If the displayed time
changes, JavaScript is running. If the SVG continues to show static fallback
and waiting for JavaScript..., scripting has been disabled.
Files
date-live.svg: test SVG containing the JavaScript clock.index.html: local comparison usingobject,iframe, andimg.
Markdown test
The following image uses standard Markdown syntax:
Gitea renders Markdown images using an image context equivalent to an HTML
img element. In this context, the SVG should remain on its static fallback
because the browser does not execute its script.
Local comparison
Serve this directory through a local HTTP server and open index.html:
python3 -m http.server 8000
Then visit http://localhost:8000.
Expected results:
| Embedding context | Expected result |
|---|---|
| SVG opened directly | JavaScript runs |
object |
JavaScript runs |
iframe |
JavaScript runs |
img |
JavaScript does not run |
| Gitea Markdown image | JavaScript does not run |
Why image embedding is different
SVG supports JavaScript when it is processed as a document. However, browsers apply a restricted processing mode when an SVG is loaded as an image. In this mode, scripts and external resources are disabled for security and privacy.
This means an SVG embedded in a Gitea README cannot use JavaScript to:
- Periodically request updated data with
fetch. - Modify itself using timers.
- Inspect the parent Gitea page.
- Read CSS variables from the parent document.
The server-generated SVG content is still displayed, but it cannot update itself while the README remains open.