enshrined/svg-sanitize

An SVG sanitizer for PHP

svg-sanitizer

, _(*1)

This is my attempt at building a decent SVG sanitizer in PHP. The work is largely borrowed from DOMPurify., _(*2)

Installation

Either require enshrined/svg-sanitize through composer or download the repo and include the old way!, _(*3)

Usage

Using this is fairly easy. Create a new instance of enshrined\svgSanitize\Sanitizer and then call the sanitize whilst passing in your dirty SVG/XML, _(*4)

Basic Example, _(*5)

use enshrined\svgSanitize\Sanitizer;

// Create a new sanitizer instance
$sanitizer = new Sanitizer();

// Load the dirty svg
$dirtySVG = file_get_contents('filthy.svg');

// Pass it to the sanitizer and get it back clean
$cleanSVG = $sanitizer->sanitize($dirtySVG);

// Now do what you want with your clean SVG/XML data

Output

This will either return a sanitized SVG/XML string or boolean false if XML parsing failed (usually due to a badly formatted file)., _(*6)

Options

You may pass your own whitelist of tags and attributes by using the Sanitizer::setAllowedTags and Sanitizer::setAllowedAttrs methods respectively., _(*7)

These methods require that you implement the enshrined\svgSanitize\data\TagInterface or enshrined\svgSanitize\data\AttributeInterface., _(*8)

Remove remote references

You have the option to remove attributes that reference remote files, this will stop HTTP leaks but will add an overhead to the sanitizer., _(*9)

This defaults to false, set to true to remove references., _(*10)

$sanitizer->removeRemoteReferences(true);, _(*11)

Viewing Sanitization Issues

You may use the getXmlIssues() method to return an array of issues that occurred during sanitization., _(*12)

This may be useful for logging or providing feedback to the user on why an SVG was refused., _(*13)

$issues = $sanitizer->getXmlIssues();, _(*14)

Minification

You can minify the XML output by calling $sanitizer->minify(true);., _(*15)

Demo

There is a demo available at: http://svg.enshrined.co.uk/, _(*16)

WordPress

I've just released a WordPress plugin containing this code so you can sanitize your WordPress uploads. It's available from the WordPress plugin directory: https://wordpress.org/plugins/safe-svg/, _(*17)

Drupal

Michael Potter has kindly created a Drupal module for this library which is available at: https://www.drupal.org/project/svg_sanitizer, _(*18)

TYPO3

This SVG sanitizer library is used per default in the core of TYPO3 v9 and later versions. See corresponding changelog entry for more details., _(*19)

Tests

You can run these by running vendor/bin/phpunit from the base directory of this package., _(*20)

Standalone scanning of files via CLI

Thanks to the work by gudmdharalds there's now a standalone scanner that can be used via the CLI., _(*21)

Any errors will be output in JSON format. See the PR for an example., _(*22)

Use it as follows: php svg-scanner.php ~/svgs/myfile.svg, _(*23)

To-Do

More extensive testing for the SVGs/XML would be lovely, I'll try and add these soon. If you feel like doing it for me, please do and make a PR!, _(*24)