Add maxEntityCount parameter to sax parser configuration

[goldserg]

Problem

SVGO 3.3.3 replaced @trysound/sax with sax ^1.5.0. When installing via npm, version 1.6.0 is installed, which introduced XXE protection with a default maxEntityCount = 512 limit.

This causes SvgoParserError: Parsed entity count exceeds max entity count when processing SVG files with more than 512 entities, even though these files are valid and not malicious.

Root Cause

The sax parser in SVGO's parser.js creates a parser without passing the maxEntityCount parameter:

const sax = SAX.parser(config.strict, config);

In sax 1.6.0, this defaults to 512:

parser.opt.maxEntityCount = parser.opt.maxEntityCount || 512

Solution

Make maxEntityCount configurable via the SVGO API:

1. Add maxEntityCount parameter to the sax parser configuration in lib/parser.js:

const config = {
  strict: true,
  trim: false,
  normalize: false,
  lowercase: true,
  xmlns: true,
  position: true,
  unparsedEntities: true,
  maxEntityCount: options.maxEntityCount || 512,
};

const sax = SAX.parser(config.strict, config);
sax.opt.maxEntityCount = config.maxEntityCount;

2. Expose maxEntityCount in the optimize() function options so users can configure it:

optimize(svg, {
  maxEntityCount: 512, // configurable parameter
  // ... other options
});

Impact

This affects any project that:

• Uses SVGO 3.3.3 or later
• Processes SVG files with many entities (complex diagrams, icons with many paths, etc.)
• Builds CLI binaries with pkg that bundle SVGO

References

• sax 1.6.0 release: https://github.com/isaacs/sax-js/releases/tag/v1.6.0
• XXE protection in sax: Missing license/notice for String.fromCodePoint isaacs/sax-js#158