svg_conform 0.1.8 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28ff5f6535023bd5817354101e080198c1f5e8b6a9cf0694555a45734e653283
-  data.tar.gz: ef1f87272855005ac53e4bc2f06467298c3e58dd3a332a5207d9f27aabf3b9a4
+  metadata.gz: e4879f5648a06585ca68ae1430f928c327b267c3de96e92ae54333a002127243
+  data.tar.gz: 7fb876639e3d0d935020089981803d43e2648131bf7a074b0b127605c99009ff
 SHA512:
-  metadata.gz: d4a56e3f70abddf80258a6774300c99db15d996f892ba8c8fd6a7d9e78d7c19432a3264d8958312c5e7cff5006628a648775dd3cbc4d06d9de0fde5ef179e9d3
-  data.tar.gz: 93d8c6ef9a74d628fa6b48aa4ab92ba41c4abc804d29d8b2670656e6114e869b614c0fef80363d393e7d72311e903a113fcf74cb060e8d41ea54f528a0442a77
+  metadata.gz: ca32f36fb1bcb98fc25be20fc237291f5fa0efedd55c71cb62b8862e60c3628f05673a0d16def9deda237e4a3b53312c78e39d3daf2bb42700e58f388a2d38c8
+  data.tar.gz: '0086cffd30f8c81aba4e157caf6a0bfe197f4ce597971941e4ddcc136f0ac7cf11460eb8e4103094a6636aa546c5d687c0f724697e441c509a94e1697bc41857'

data/.rubocop_todo.yml

@@ -1,80 +1,26 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2026-01-21 09:23:23 UTC using RuboCop version 1.82.1.
+# on 2026-01-22 08:33:31 UTC using RuboCop version 1.82.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 4
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyle, IndentationWidth.
-# SupportedStyles: with_first_argument, with_fixed_indentation
-Layout/ArgumentAlignment:
-  Exclude:
-    - 'lib/svg_conform/validation_context.rb'
-
-# Offense count: 2
+# Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyleAlignWith.
 # SupportedStylesAlignWith: either, start_of_block, start_of_line
 Layout/BlockAlignment:
   Exclude:
-    - 'lib/svg_conform/sax_validation_handler.rb'
     - 'spec/svg_conform/profiles/svg_1_2_rfc_profile_spec.rb'
 
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-Layout/BlockEndNewline:
-  Exclude:
-    - 'lib/svg_conform/sax_validation_handler.rb'
-
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-Layout/ElseAlignment:
-  Exclude:
-    - 'lib/svg_conform/requirements/no_external_css_requirement.rb'
-
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyleAlignWith.
-# SupportedStylesAlignWith: keyword, variable, start_of_line
-Layout/EndAlignment:
-  Exclude:
-    - 'lib/svg_conform/requirements/no_external_css_requirement.rb'
-
-# Offense count: 4
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: AllowMultipleStyles, EnforcedHashRocketStyle, EnforcedColonStyle, EnforcedLastArgumentHashStyle.
-# SupportedHashRocketStyles: key, separator, table
-# SupportedColonStyles: key, separator, table
-# SupportedLastArgumentHashStyles: always_inspect, always_ignore, ignore_implicit, ignore_explicit
-Layout/HashAlignment:
-  Exclude:
-    - 'lib/svg_conform/validation_context.rb'
-
-# Offense count: 4
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: Width, AllowedPatterns.
-Layout/IndentationWidth:
-  Exclude:
-    - 'lib/svg_conform/requirements/no_external_css_requirement.rb'
-    - 'lib/svg_conform/sax_validation_handler.rb'
-
-# Offense count: 643
+# Offense count: 647
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: Max, AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, AllowRBSInlineAnnotation, AllowCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https
 Layout/LineLength:
   Enabled: false
 
-# Offense count: 2
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: AllowInHeredoc.
-Layout/TrailingWhitespace:
-  Exclude:
-    - 'lib/svg_conform/validation_context.rb'
-
 # Offense count: 2
 # Configuration parameters: AllowedMethods.
 # AllowedMethods: enums
@@ -124,12 +70,12 @@ Lint/UnreachableCode:
   Exclude:
     - 'lib/svg_conform/commands/check.rb'
 
-# Offense count: 150
+# Offense count: 151
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes, Max.
 Metrics/AbcSize:
   Enabled: false
 
-# Offense count: 23
+# Offense count: 24
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns, inherit_mode.
 # AllowedMethods: refine
 Metrics/BlockLength:
@@ -140,12 +86,12 @@ Metrics/BlockLength:
 Metrics/BlockNesting:
   Max: 4
 
-# Offense count: 126
+# Offense count: 127
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
 Metrics/CyclomaticComplexity:
   Enabled: false
 
-# Offense count: 262
+# Offense count: 263
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Max: 154
@@ -155,7 +101,7 @@ Metrics/MethodLength:
 Metrics/ParameterLists:
   Max: 9
 
-# Offense count: 100
+# Offense count: 101
 # Configuration parameters: AllowedMethods, AllowedPatterns, Max.
 Metrics/PerceivedComplexity:
   Enabled: false
@@ -193,7 +139,7 @@ RSpec/DescribeClass:
     - 'spec/svg_conform/references/integration_spec.rb'
     - 'spec/svgcheck_compatibility_spec.rb'
 
-# Offense count: 136
+# Offense count: 139
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
   Max: 53
@@ -258,11 +204,3 @@ Style/OptionalBooleanParameter:
 Style/RedundantCondition:
   Exclude:
     - 'lib/svg_conform/external_checkers/svgcheck/parser.rb'
-
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyleForMultiline.
-# SupportedStylesForMultiline: comma, consistent_comma, diff_comma, no_comma
-Style/TrailingCommaInArguments:
-  Exclude:
-    - 'lib/svg_conform/sax_validation_handler.rb'

data/config/profiles/metanorma.yml

@@ -16,6 +16,8 @@ requirements:
     allowed_namespaces:
       - "http://www.w3.org/2000/svg"
       - ""  # Default namespace (no prefix)
+    allowed_attribute_patterns:
+      - "on*"  # Allow event handler attributes (onmouseover, onmouseout, etc.) per issue #57
     element_configs:
       # Direct encoding from svgcheck word_properties.py elements dictionary
       - tag: "svg"
@@ -156,6 +158,7 @@ requirements:
     description: "Validates ID references point to existing elements"
 
   # Forbidden content - no multimedia, scripting, etc.
+  # Note: onmouseover, onmouseout, onfocus, onblur are intentionally allowed per issue #57
   - id: "forbidden_content"
     type: "ForbiddenContentRequirement"
     description: "Prohibits multimedia, scripting content"

data/docs/profiles.adoc

@@ -268,10 +268,24 @@ See link:remediation.adoc#namespace-attribute-remediation[NamespaceAttributeReme
 * **Flexible colors**: Any colors allowed (unlike RFC 7996 black/white restriction)
 * **Flexible fonts**: Any font families allowed (unlike RFC 7996 generic-only restriction)
 * **Flexible styles**: Any CSS styles allowed
+* **Event handlers allowed**: Supports event attributes (`on*`) for interactivity
 * **Self-contained resources**: All CSS and fonts must be embedded
 * **Structural compliance**: Proper namespaces and viewBox required
 * **No external dependencies**: External CSS and fonts strictly prohibited
 
+**Event Handler Support**:
+
+The metanorma profile allows SVG event handler attributes (e.g., `onmouseover`, `onmouseout`, `onfocus`, `onblur`) for interactive elements. This is configured using wildcard attribute patterns:
+
+[source,yaml]
+----
+requirements:
+  - type: "AllowedElementsRequirement"
+    id: "allowed_elements"
+    allowed_attribute_patterns:
+      - "on*"  # Allow all event handler attributes
+----
+
 **Requirements**:
 [source,yaml]
 ----

data/docs/requirements.adoc

@@ -174,6 +174,62 @@ foreign). Used with `skip_foreign_namespaces`. Default: `[]`.
 namespaces. When `true`, RDF namespace elements are considered valid and
 skipped. Default: `false`.
 
+`allowed_attribute_patterns`:: List of wildcard attribute patterns to exempt from
+validation. Attributes matching any pattern will be allowed regardless of whether
+they appear in element `attributes` lists. Patterns support suffix wildcards (`*`).
+Default: `[]`.
+
+* **Common patterns**:
++
+**`"on*"`**:: Allows all event handler attributes (`onclick`, `onmouseover`, `onmouseout`, etc.)
+**`"data-*"`**:: Allows all `data-` custom attributes
+
+* **Precedence**: When an attribute matches both an allowed pattern and an
+element-specific disallowed attribute (prefixed with `!`), the allowed pattern
+takes precedence and a warning is emitted during validation.
+
+==== Wildcard attribute patterns
+
+.Using allowed_attribute_patterns to exempt event handler attributes
+[example]
+====
+[source,yaml]
+----
+- id: "svg_elements_with_events"
+  type: "AllowedElementsRequirement"
+  description: "Restrict to allowed SVG elements but allow event handlers"
+  allowed_attribute_patterns:
+    - "on*"     # Allow all event handler attributes
+    - "data-*"  # Allow all data-* custom attributes
+  check_attributes: true
+  element_configs:
+    - tag: "polygon"
+      attributes: ["points", "id", "fill"]
+      # !onclick is disallowed, but on* pattern takes precedence with warning
+    - tag: "rect"
+      attributes: ["x", "y", "width", "height"]
+----
+====
+
+With this configuration:
+* Event attributes (`onclick`, `onmouseover`, etc.) are allowed on all elements
+* `data-*` custom attributes are allowed on all elements
+* Other attributes not in element `attributes` lists are still rejected
+
+.Conflict detection warning
+[example]
+====
+When an allowed pattern conflicts with an element-specific disallowed attribute
+(prefixed with `!`), a warning is emitted:
+
+[source,text]
+----
+Configuration warning in svg_elements_with_events: Element 'polygon' has
+disallowed attributes [onclick] that match allowed_attribute_patterns [on*].
+Allowed patterns take precedence over element-specific disallowed attributes.
+----
+====
+
 ==== Configuration
 
 .Example configuration of AllowedElementsRequirement

data/lib/svg_conform/requirements/allowed_elements_requirement.rb

@@ -8,20 +8,19 @@ module SvgConform
     # Validates that only allowed SVG elements and their attributes are used
     class AllowedElementsRequirement < BaseRequirement
       attribute :type, :string, default: -> { "AllowedElementsRequirement" }
-      attribute :element_configs, ElementRequirementConfig, collection: true, default: -> {
-        []
-      }
-      attribute :disallowed_elements, :string, collection: true, default: -> {
-        []
-      }
+      attribute :element_configs, ElementRequirementConfig, collection: true,
+                                                            initialize_empty: true
+      attribute :disallowed_elements, :string, collection: true,
+                                               initialize_empty: true
       attribute :check_attributes, :boolean, default: false
       attribute :check_invalid_attributes, :boolean, default: false
+      attribute :allowed_attribute_patterns, :string, collection: true,
+                                                      initialize_empty: true
       attribute :check_parent_child, :boolean, default: false
       attribute :parent_child_rules, :string, default: -> { {} }
       attribute :skip_foreign_namespaces, :boolean, default: false
-      attribute :allowed_namespaces, :string, collection: true, default: -> {
-        []
-      }
+      attribute :allowed_namespaces, :string, collection: true,
+                                              initialize_empty: true
       attribute :allow_rdf_metadata, :boolean, default: false
 
       # RDF-related namespaces (same as in NamespaceRequirement for consistency)
@@ -41,13 +40,51 @@ module SvgConform
         map "disallowed_elements", to: :disallowed_elements
         map "check_attributes", to: :check_attributes
         map "check_invalid_attributes", to: :check_invalid_attributes
+        map "allowed_attribute_patterns", to: :allowed_attribute_patterns
         map "check_parent_child", to: :check_parent_child
         map "skip_foreign_namespaces", to: :skip_foreign_namespaces
         map "allowed_namespaces", to: :allowed_namespaces
         map "allow_rdf_metadata", to: :allow_rdf_metadata
       end
 
+      # Check for configuration conflicts and emit warnings
+      def validate_configuration
+        return if allowed_attribute_patterns.empty? || !element_configs&.any?
+
+        element_configs.each do |element_config|
+          next unless element_config&.attr
+
+          disallowed_attrs = []
+          element_config.attr.each do |attribute|
+            if attribute.start_with?("!")
+              disallowed_attrs << attribute[1..].downcase
+            end
+          end
+
+          next if disallowed_attrs.empty?
+
+          # Check if any disallowed attribute matches an allowed pattern
+          conflicts = disallowed_attrs.select do |disallowed|
+            matches_allowed_pattern?(disallowed)
+          end
+
+          if conflicts.any?
+            warn "Configuration warning in #{id}: " \
+                 "Element '#{element_config.tag}' has disallowed attributes [#{conflicts.join(', ')}] " \
+                 "that match allowed_attribute_patterns [#{allowed_attribute_patterns.join(', ')}]. " \
+                 "Allowed patterns take precedence over element-specific disallowed attributes."
+          end
+        end
+      end
+
       def check(node, context)
+        # Validate configuration once on first use
+        @_config_validated ||= false
+        unless @_config_validated
+          validate_configuration
+          @_config_validated = true
+        end
+
         return unless element?(node)
 
         # Skip foreign namespace elements if configured (let NamespaceRequirement handle them)
@@ -121,6 +158,13 @@ module SvgConform
       end
 
       def validate_sax_element(element, context)
+        # Validate configuration once on first use
+        @_config_validated ||= false
+        unless @_config_validated
+          validate_configuration
+          @_config_validated = true
+        end
+
         # Skip if parent is structurally invalid (matches DOM behavior)
         if element.parent && context.node_structurally_invalid?(element.parent)
           # Mark this element as invalid too since it won't be in final document
@@ -202,6 +246,18 @@ module SvgConform
         disallowed_elements&.include?(element_name) || false
       end
 
+      # Check if an attribute name matches any of the allowed_attribute_patterns
+      def matches_allowed_pattern?(attr_name)
+        allowed_attribute_patterns.any? do |pattern|
+          if pattern.end_with?("*")
+            prefix = pattern[0..-2] # Remove trailing *
+            attr_name.downcase.start_with?(prefix)
+          else
+            attr_name.downcase == pattern
+          end
+        end
+      end
+
       def invalid_parent_child?(parent_name, child_name)
         return false unless element_configs&.any?
 
@@ -290,6 +346,9 @@ module SvgConform
           # Check if matches data-* pattern (wildcard pattern)
           next if attr_name.start_with?("data-")
 
+          # Check if matches allowed attribute patterns (wildcard patterns)
+          next if matches_allowed_pattern?(attr_name)
+
           # Check if explicitly disallowed
           if disallowed_attrs.include?(attr_name)
             errors << {
@@ -437,6 +496,9 @@ module SvgConform
           next if attr.namespace
           next if attr_name.start_with?("data-")
 
+          # Check if matches allowed attribute patterns (wildcard patterns)
+          next if matches_allowed_pattern?(attr_name)
+
           # Check if explicitly disallowed
           if disallowed_attrs.include?(attr_name)
             errors << {

data/lib/svg_conform/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SvgConform
-  VERSION = "0.1.8"
+  VERSION = "0.1.9"
 end

data/spec/svg_conform/requirements/allowed_elements_requirement_spec.rb

@@ -114,5 +114,68 @@ RSpec.describe SvgConform::Requirements::AllowedElementsRequirement do
 
       expect(requirement).to be_a(described_class)
     end
+
+    it "accepts allowed_attribute_patterns for wildcard attribute exemption" do
+      requirement = described_class.new(
+        id: "test_patterns",
+        description: "Test with allowed patterns",
+        allowed_attribute_patterns: ["on*", "data-*"],
+      )
+
+      expect(requirement.allowed_attribute_patterns).to eq(["on*", "data-*"])
+    end
+
+    it "allows attributes matching allowed_attribute_patterns" do
+      svg_with_event_handlers = <<~SVG
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+          <polygon points="10,10 90,10 50,90"
+                   onmouseout="handleOut()"
+                   onmouseover="handleOver()"
+                   data-custom="value"/>
+          <rect x="10" y="10" width="20" height="20" onclick="forbidden()"/>
+        </svg>
+      SVG
+
+      document = SvgConform::Document.from_content(svg_with_event_handlers)
+      requirement = described_class.new(
+        id: "test_patterns",
+        description: "Test with allowed patterns",
+        allowed_attribute_patterns: ["on*"], # Allow all event attributes
+        check_attributes: true,
+      )
+
+      context = SvgConform::ValidationContext.new(document, nil)
+      requirement.validate_document(document, context)
+
+      # onmouseout and onmouseover should be allowed (match "on*" pattern)
+      # onclick should also be allowed (matches "on*" pattern)
+      # data-custom should NOT be allowed (not in allowed attributes, not in pattern)
+      expect(context.errors).to be_empty
+    end
+
+    it "warns when allowed_attribute_patterns conflicts with element-specific disallowed attributes" do
+      # Create a requirement with conflicting configuration
+      requirement = described_class.new(
+        id: "test_conflict",
+        description: "Test with conflicting patterns",
+        allowed_attribute_patterns: ["on*"], # Allows all event attributes
+        element_configs: [
+          SvgConform::Requirements::ElementRequirementConfig.new(
+            tag: "polygon",
+            attr: ["points", "!onclick"], # onclick is disallowed on polygon
+          ),
+        ],
+      )
+
+      # Trigger validation by calling check and capture stderr
+      document = SvgConform::Document.from_content(
+        '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><polygon points="10,10 90,10 50,90"/></svg>',
+      )
+      context = SvgConform::ValidationContext.new(document, nil)
+
+      expect { requirement.check(document.root, context) }
+        .to output(/Configuration warning.*onclick.*allowed_attribute_patterns.*Allowed patterns take precedence/m)
+        .to_stderr
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: svg_conform
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - Ribose
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-01-21 00:00:00.000000000 Z
+date: 2026-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: lutaml-model