//#region src/lib/sanitize-svg.d.ts
/**
 * SECURITY: Strip script-bearing constructs from an SVG string before it is
 * passed to `dangerouslySetInnerHTML` (e.g. via `<PreviewPanelDialog
 * unsafeHtml={…}/>`).
 *
 * This is an allowlist-leaning scrubber that closes the documented XSS
 * vectors. It assumes the caller produced the SVG from a Mermaid render (or
 * equivalent server-side renderer) and provides defense-in-depth against:
 *
 *   - `<script>` tags (including nested / lazy variants)
 *   - `<foreignObject>` (HTML-in-SVG escape hatch)
 *   - `<iframe>` / `<embed>` / `<object>` (even when emitted outside foreignObject)
 *   - SMIL animation elements (`<set>`, `<animate>`, `<animateTransform>`,
 *     `<animateMotion>`) that can rewrite `on*` / `href` at runtime
 *   - `on*` event-handler attributes
 *   - `href` / `xlink:href` with `javascript:` or `data:text/html` schemes,
 *     including the unquoted attribute form (`href=javascript:alert(1)`)
 *   - CSS `style="…url(javascript:…)"` / `expression(…)` payloads
 *
 * Output that doesn't start with `<svg` after stripping is rejected — the
 * caller gets an empty string and the renderer falls back to its placeholder.
 *
 * If you need stronger guarantees (untrusted SVG from third parties), pipe
 * the result through DOMPurify with `USE_PROFILES: { svg: true, svgFilters: true }`.
 */
declare function sanitizeSvg(svg: string): string;
//#endregion
export { sanitizeSvg };