This is my attempt at building a decent SVG sanitizer in PHP. The work is laregely borrowed from DOMPurify.
enshrined/svg-sanitize through composer or download the repo and include the old way!
Using this is fairly easy. Create a new instance of
enshrined\svgSanitize\Sanitizer and then call the
sanitize whilst passing in your dirty SVG/XML
use enshrined\svgSanitize\Sanitizer; // Create a new sanitizer instance $sanitizer = new Sanitizer(); // Load the dirty svg $dirtySVG = file_get_contents('filthy.svg'); // Pass it to the sanitizer and get it back clean $cleanSVG = $sanitizer->sanitize($dirtySVG); // Now do what you want with your clean SVG/XML data
This will either return a sanitized SVG/XML string or boolean
false if XML parsing failed (usually due to a badly formatted file).
You may pass your own whitelist of tags and attributes by using the
Sanitizer::setAllowedAttrs methods respectively.
These methods require that you implement the
You can minify the XML output by calling
There is a demo available at: http://svg.enshrined.co.uk/
I've just released a WordPress plugin containing this code so you can sanitize your WordPress uploads. It's available from the WordPress plugin directory: https://wordpress.org/plugins/safe-svg/
You can run these by running
More extensive testing for the SVGs/XML would be lovely, I'll try and add these soon. If you feel like doing it for me, please do and make a PR!