A PHP SVG/XML Sanitizer
Latest commit 7a1e995 Dec 2, 2016 @darylldoyle Allow orient attribute



Build Status Test Coverage

This is my attempt at building a decent SVG sanitizer in PHP. The work is laregely borrowed from DOMPurify.


Either require enshrined/svg-sanitize through composer or download the repo and include the old way!


Using this is fairly easy. Create a new instance of enshrined\svgSanitize\Sanitizer and then call the sanitize whilst passing in your dirty SVG/XML

Basic Example

use enshrined\svgSanitize\Sanitizer;

// Create a new sanitizer instance
$sanitizer = new Sanitizer();

// Load the dirty svg
$dirtySVG = file_get_contents('filthy.svg');

// Pass it to the sanitizer and get it back clean
$cleanSVG = $sanitizer->sanitize($dirtySVG);

// Now do what you want with your clean SVG/XML data


This will either return a sanitized SVG/XML string or boolean false if XML parsing failed (usually due to a badly formatted file).


You may pass your own whitelist of tags and attributes by using the Sanitizer::setAllowedTags and Sanitizer::setAllowedAttrs methods respectively.

These methods require that you implement the enshrined\svgSanitize\data\TagInterface or enshrined\svgSanitize\data\AttributeInterface.


You can minify the XML output by calling $sanitiser->minify(true);.


There is a demo available at: http://svg.enshrined.co.uk/


I've just released a WordPress plugin containing this code so you can sanitize your WordPress uploads. It's available from the WordPress plugin directory: https://wordpress.org/plugins/safe-svg/


Michael Potter has kindly created a Drupal module for this library which is available at: https://www.drupal.org/project/svg_sanitizer


You can run these by running phpunit


More extensive testing for the SVGs/XML would be lovely, I'll try and add these soon. If you feel like doing it for me, please do and make a PR!