Skip to main content

SESM Fixture Corpus

fixtures/ holds a small corpus of SVG files used by tests/test_validate_sesm_safe.py to exercise Validate-SESM-Safe.py. Each fixture demonstrates one specific validator outcome rather than a realistic asset. The two valid/ fixtures are safe to render as images; the invalid/ and warning/ fixtures intentionally contain unsafe or borderline features and are shown here only as code, not as embedded/rendered images.

FixtureExpected profileExpected statusDemonstrates
valid/basic-safe.svgsesm-safeokMinimal safe-profile icon: one SESM block, no active content.
valid/full-metadata.svgsesm-safeokFuller SESM block (theme, crawl, llm, provenance) still passing the safe profile.
invalid/script.svgsesm-unsafeerror<script> element — forbidden outright.
invalid/event-handler.svgsesm-unsafeerroronload event handler attribute — forbidden on* handler.
invalid/javascript-url.svgsesm-unsafeerrorjavascript: URL inside an <a href>.
invalid/duplicate-metadata.svgsesm-unsafeerrorTwo <metadata id="sesm"> blocks — safe profile allows at most one.
invalid/bad-json.svgsesm-unsafeerrorMalformed JSON (trailing comma) inside the metadata block.
warning/remote-reference.svgsesm-unverifiedwarningRemote <image href="https://..."> reference — flagged, not rejected outright.

Representative Samples

valid/basic-safe.svg — the minimal passing case:

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" role="img" aria-label="Example icon">
<title>Example icon</title>
<metadata id="sesm"><![CDATA[
{
"sesm_version": "0.3.0",
"asset": {
"id": "basic-safe",
"role": "icon",
"title": "Basic Safe SESM Icon"
},
"llm": {
"summary": "A simple safe-profile SESM fixture.",
"interpretation_hints": [
"Interpret this as a minimal icon fixture."
]
}
}
]]></metadata>
<circle cx="50" cy="50" r="40" fill="#22D3EE"/>
</svg>

invalid/script.svg — the simplest failing case, shown as text only (this fixture is intentionally unsafe and must never be rendered or embedded as a live image):

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<metadata id="sesm"><![CDATA[
{
"sesm_version": "0.3.0",
"asset": { "id": "script-fixture", "role": "icon" }
}
]]></metadata>
<script>alert("unsafe")</script>
<circle cx="50" cy="50" r="40"/>
</svg>

warning/remote-reference.svg — a borderline case that warns rather than fails, since remote references are policy-dependent rather than universally forbidden:

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<metadata id="sesm"><![CDATA[
{
"sesm_version": "0.3.0",
"asset": { "id": "remote-reference-fixture", "role": "icon" }
}
]]></metadata>
<image href="https://example.com/remote.png" width="100" height="100"/>
</svg>

The remaining invalid fixtures (event-handler.svg, javascript-url.svg, duplicate-metadata.svg, bad-json.svg) follow the same one-issue-per-file pattern and are not reproduced individually here — each triggers exactly the error code named in the table above (svg-event-handler, javascript-url, sesm-duplicate, sesm-json-invalid respectively; see Validator Rules).