SESM Fixture Corpus
fixtures/ holds a small corpus of SVG files used by tests/test_validate_sesm_safe.py to exercise Validate-SESM-Safe.py. Each fixture demonstrates one specific validator outcome rather than a realistic asset. The two valid/ fixtures are safe to render as images; the invalid/ and warning/ fixtures intentionally contain unsafe or borderline features and are shown here only as code, not as embedded/rendered images.
| Fixture | Expected profile | Expected status | Demonstrates |
|---|---|---|---|
valid/basic-safe.svg | sesm-safe | ok | Minimal safe-profile icon: one SESM block, no active content. |
valid/full-metadata.svg | sesm-safe | ok | Fuller SESM block (theme, crawl, llm, provenance) still passing the safe profile. |
invalid/script.svg | sesm-unsafe | error | <script> element — forbidden outright. |
invalid/event-handler.svg | sesm-unsafe | error | onload event handler attribute — forbidden on* handler. |
invalid/javascript-url.svg | sesm-unsafe | error | javascript: URL inside an <a href>. |
invalid/duplicate-metadata.svg | sesm-unsafe | error | Two <metadata id="sesm"> blocks — safe profile allows at most one. |
invalid/bad-json.svg | sesm-unsafe | error | Malformed JSON (trailing comma) inside the metadata block. |
warning/remote-reference.svg | sesm-unverified | warning | Remote <image href="https://..."> reference — flagged, not rejected outright. |
Representative Samples
valid/basic-safe.svg — the minimal passing case:
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" role="img" aria-label="Example icon">
<title>Example icon</title>
<metadata id="sesm"><![CDATA[
{
"sesm_version": "0.3.0",
"asset": {
"id": "basic-safe",
"role": "icon",
"title": "Basic Safe SESM Icon"
},
"llm": {
"summary": "A simple safe-profile SESM fixture.",
"interpretation_hints": [
"Interpret this as a minimal icon fixture."
]
}
}
]]></metadata>
<circle cx="50" cy="50" r="40" fill="#22D3EE"/>
</svg>
invalid/script.svg — the simplest failing case, shown as text only (this fixture is intentionally unsafe and must never be rendered or embedded as a live image):
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<metadata id="sesm"><![CDATA[
{
"sesm_version": "0.3.0",
"asset": { "id": "script-fixture", "role": "icon" }
}
]]></metadata>
<script>alert("unsafe")</script>
<circle cx="50" cy="50" r="40"/>
</svg>
warning/remote-reference.svg — a borderline case that warns rather than fails, since remote references are policy-dependent rather than universally forbidden:
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<metadata id="sesm"><![CDATA[
{
"sesm_version": "0.3.0",
"asset": { "id": "remote-reference-fixture", "role": "icon" }
}
]]></metadata>
<image href="https://example.com/remote.png" width="100" height="100"/>
</svg>
The remaining invalid fixtures (event-handler.svg, javascript-url.svg, duplicate-metadata.svg, bad-json.svg) follow the same one-issue-per-file pattern and are not reproduced individually here — each triggers exactly the error code named in the table above (svg-event-handler, javascript-url, sesm-duplicate, sesm-json-invalid respectively; see Validator Rules).