Repository files navigation

This is my attempt at building a decent SVG sanitizer in PHP. The work is largely borrowed fromDOMPurify.

Either requireenshrined/svg-sanitize through composer or download the repo and include the old way!

Using this is fairly easy. Create a new instance ofenshrined\svgSanitize\Sanitizer and then call thesanitize whilst passing in your dirty SVG/XML

Basic Example

useenshrined\svgSanitize\Sanitizer;// Create a new sanitizer instance$sanitizer =newSanitizer();// Load the dirty svg$dirtySVG =file_get_contents('filthy.svg');// Pass it to the sanitizer and get it back clean$cleanSVG =$sanitizer->sanitize($dirtySVG);// Now do what you want with your clean SVG/XML data

This will either return a sanitized SVG/XML string or booleanfalse if XML parsing failed (usually due to a badly formatted file).

You may pass your own whitelist of tags and attributes by using theSanitizer::setAllowedTags andSanitizer::setAllowedAttrs methods respectively.

These methods require that you implement theenshrined\svgSanitize\data\TagInterface orenshrined\svgSanitize\data\AttributeInterface.

You have the option to remove attributes that reference remote files, this will stop HTTP leaks but will add an overhead to the sanitizer.

This defaults to false, set to true to remove references.

$sanitizer->removeRemoteReferences(true);

You may use thegetXmlIssues() method to return an array of issues that occurred during sanitization.

This may be useful for logging or providing feedback to the user on why an SVG was refused.

$issues = $sanitizer->getXmlIssues();

You can minify the XML output by calling$sanitizer->minify(true);.

There is a demo available at:http://svg.enshrined.co.uk/

I've just released a WordPress plugin containing this code so you can sanitize your WordPress uploads. It's available from the WordPress plugin directory:https://wordpress.org/plugins/safe-svg/

Michael Potter has kindly created a Drupal module for this library which is available at:https://www.drupal.org/project/svg_sanitizer

This SVG sanitizer library is used per default in the core of TYPO3 v9 and later versions.Seecorresponding changelog entry for more details.

You can run these by runningvendor/bin/phpunit from the base directory of this package.

Thanks to the work bygudmdharalds there's now a standalone scanner that can be used via the CLI.

Any errors will be output in JSON format. Seethe PR for an example.

Use it as follows:php svg-scanner.php ~/svgs/myfile.svg

More extensive testing for the SVGs/XML would be lovely, I'll try and add these soon. If you feel like doing it for me, please do and make a PR!