feat: add secure relative image resolving

[zakideee]

Hi team,

Here is the implementation for relative image path resolving. Any feedback would be appreciated. Thanks!

Summary

In the current implementation, <image> href values are only resolved when they start with http:// or https://, which makes it difficult to work with local or same-origin assets.

This PR addresses this limitation by introducing an opt-in feature to resolve relative image URLs, related to the discussion in issue #229. By providing a baseUrl, you can now use relative paths like ./logo.png, which will be resolved against it. The default behavior remains unchanged to ensure backward compatibility.

Key Changes

• New option: imageResolving (enableRelativePaths, baseUrl)

  • This configuration is passed from the JavaScript layer to the underlying Rust core.
  • Legacy resolver continues to ignore relative paths by default.

• URL helpers (via url = "<2.5") enforce basic traversal checks.

  • Percent-encoded escape sequences like .%2e/ may still slip past after joining, so downstream callers should verify the final URL.

• Tests

  • __test__/index.spec.ts and __test__/wasm.spec.ts gain 12 new scenarios.
  • Existing assertions remain intact.

Usage

const resvgWithRelative = new Resvg(svgMarkup, {
  imageResolving: {
    enableRelativePaths: true,
    baseUrl: 'https://example.com/assets/'
  }
});

Testing

• yarn test: 49 passed / 1 skipped

• yarn test:wasm: 38 passed / 1 skipped

  • +12 scenarios (defaults, opt-in success/failure, missing baseUrl, data URIs)

Build Artifacts

• wasm/index_bg.wasm:

  • 2,479,696 bytes → 2,760,343 bytes
  • ≈ +274 KB (+11.3%) due to URL parsing logic

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
resvg-js	Ready	Preview	Comment	Sep 27, 2025 5:45am

[shmarlya]

Great feature and update that is really needed, someone maybe could review?