You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long. ea7bde3cf9 Sanitizer les SVG : 4 years ago
src Sanitizer les SVG : 4 years ago
LICENSE Sanitizer les SVG : 4 years ago Sanitizer les SVG : 4 years ago
composer.json Sanitizer les SVG : 4 years ago
composer.lock Sanitizer les SVG : 4 years ago
phpunit.xml.dist Sanitizer les SVG : 4 years ago


Build Status Test Coverage

This is my attempt at building a decent SVG sanitizer in PHP. The work is laregely borrowed from DOMPurify.


Either require enshrined/svg-sanitize through composer or download the repo and include the old way!


Using this is fairly easy. Create a new instance of enshrined\svgSanitize\Sanitizer and then call the sanitize whilst passing in your dirty SVG/XML

Basic Example

use enshrined\svgSanitize\Sanitizer;

// Create a new sanitizer instance
$sanitizer = new Sanitizer();

// Load the dirty svg
$dirtySVG = file_get_contents('filthy.svg');

// Pass it to the sanitizer and get it back clean
$cleanSVG = $sanitizer->sanitize($dirtySVG);

// Now do what you want with your clean SVG/XML data


This will either return a sanitized SVG/XML string or boolean false if XML parsing failed (usually due to a badly formatted file).


You may pass your own whitelist of tags and attributes by using the Sanitizer::setAllowedTags and Sanitizer::setAllowedAttrs methods respectively.

These methods require that you implement the enshrined\svgSanitize\data\TagInterface or enshrined\svgSanitize\data\AttributeInterface.

Remove remote references

You have the option to remove attributes that reference remote files, this will stop HTTP leaks but will add an overhead to the sanitiser.

This defaults to false, set to true to remove references.


Viewing Sanitisation Issues

You may use the getXmlIssues() method to return an array of issues that occurred during sanitisation.

This may be useful for logging or providing feedback to the user on why an SVG was refused.

$issues = $sanitizer->getXmlIssues();


You can minify the XML output by calling $sanitiser->minify(true);.


There is a demo available at:


I've just released a WordPress plugin containing this code so you can sanitize your WordPress uploads. It's available from the WordPress plugin directory:


Michael Potter has kindly created a Drupal module for this library which is available at:


You can run these by running phpunit

Standalone scanning of files via CLI

Thanks to the work by gudmdharalds there's now a standalone scanner that can be used via the CLI.

Any errors will be output in JSON format. See the PR for an example.

Use it as follows: php svg-scanner.php ~/svgs/myfile.svg


More extensive testing for the SVGs/XML would be lovely, I'll try and add these soon. If you feel like doing it for me, please do and make a PR!