PHPackages enshrined/svg-sanitize - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. enshrined/svg-sanitize ActiveLibrary[Security](/categories/security) enshrined/svg-sanitize ====================== An SVG sanitizer for PHP 0.22.0(9mo ago)54042.4M—6.7%66[18 issues](https://github.com/darylldoyle/svg-sanitizer/issues)[5 PRs](https://github.com/darylldoyle/svg-sanitizer/pulls)20GPL-2.0-or-laterPHPPHP ^7.1 || ^8.0CI failing Since Jun 19Pushed 9mo ago27 watchersCompare [ Source](https://github.com/darylldoyle/svg-sanitizer)[ Packagist](https://packagist.org/packages/enshrined/svg-sanitize)[ RSS](/packages/enshrined-svg-sanitize/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (1)Dependencies (1)Versions (55)Used By (20)Security (4) svg-sanitizer ============= [](#svg-sanitizer) [![Build Status](https://github.com/darylldoyle/svg-sanitizer/actions/workflows/tests.yml/badge.svg?branch=master)](https://travis-ci.org/darylldoyle/svg-sanitizer) [![Test Coverage](https://camo.githubusercontent.com/d0afaf83fecb2650564d8e8aa019e27f10a7fd8991e2f13db429de2fbf238c35/68747470733a2f2f636f6465636c696d6174652e636f6d2f6769746875622f646172796c6c646f796c652f7376672d73616e6974697a65722f6261646765732f636f7665726167652e737667)](https://codeclimate.com/github/darylldoyle/svg-sanitizer/coverage) This is my attempt at building a decent SVG sanitizer in PHP. The work is largely borrowed from [DOMPurify](https://github.com/cure53/DOMPurify). Installation ------------ [](#installation) Either require `enshrined/svg-sanitize` through composer or download the repo and include the old way! Usage ----- [](#usage) Using this is fairly easy. Create a new instance of `enshrined\svgSanitize\Sanitizer` and then call the `sanitize` whilst passing in your dirty SVG/XML **Basic Example** ``` use enshrined\svgSanitize\Sanitizer; // Create a new sanitizer instance $sanitizer = new Sanitizer(); // Load the dirty svg $dirtySVG = file_get_contents('filthy.svg'); // Pass it to the sanitizer and get it back clean $cleanSVG = $sanitizer->sanitize($dirtySVG); // Now do what you want with your clean SVG/XML data ``` Output ------ [](#output) This will either return a sanitized SVG/XML string or boolean `false` if XML parsing failed (usually due to a badly formatted file). Options ------- [](#options) You may pass your own whitelist of tags and attributes by using the `Sanitizer::setAllowedTags` and `Sanitizer::setAllowedAttrs` methods respectively. These methods require that you implement the `enshrined\svgSanitize\data\TagInterface` or `enshrined\svgSanitize\data\AttributeInterface`. Remove remote references ------------------------ [](#remove-remote-references) You have the option to remove attributes that reference remote files, this will stop HTTP leaks but will add an overhead to the sanitizer. This defaults to false, set to true to remove references. `$sanitizer->removeRemoteReferences(true);` Viewing Sanitization Issues --------------------------- [](#viewing-sanitization-issues) You may use the `getXmlIssues()` method to return an array of issues that occurred during sanitization. This may be useful for logging or providing feedback to the user on why an SVG was refused. `$issues = $sanitizer->getXmlIssues();` Minification ------------ [](#minification) You can minify the XML output by calling `$sanitizer->minify(true);`. Demo ---- [](#demo) There is a demo available at: WordPress --------- [](#wordpress) I've just released a WordPress plugin containing this code so you can sanitize your WordPress uploads. It's available from the WordPress plugin directory: Drupal ------ [](#drupal) [Michael Potter](https://github.com/heyMP) has kindly created a Drupal module for this library which is available at: [https://www.drupal.org/project/svg\_sanitizer](https://www.drupal.org/project/svg_sanitizer) TYPO3 ----- [](#typo3) This SVG sanitizer library is used per default in the core of TYPO3 v9 and later versions. See [corresponding changelog entry](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/9.5.x/Important-94492-IntroduceSVGSanitizer.html) for more details. Tests ----- [](#tests) You can run these by running `vendor/bin/phpunit` from the base directory of this package. Standalone scanning of files via CLI ------------------------------------ [](#standalone-scanning-of-files-via-cli) Thanks to the work by [gudmdharalds](https://github.com/gudmdharalds) there's now a standalone scanner that can be used via the CLI. Any errors will be output in JSON format. See [the PR](https://github.com/darylldoyle/svg-sanitizer/pull/25) for an example. Use it as follows: `php svg-scanner.php ~/svgs/myfile.svg` To-Do ----- [](#to-do) More extensive testing for the SVGs/XML would be lovely, I'll try and add these soon. If you feel like doing it for me, please do and make a PR! ### Health Score 64 — FairBetter than 99% of packages Maintenance57 Moderate activity, may be stable Popularity72 Solid adoption and visibility Community45 Growing community involvement Maturity72 Established project with proven stability Bus Factor1 Top contributor holds 64.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~79 days Recently: every ~134 days Total 48 Last Release 280d ago PHP version history (3 changes)0.14.1PHP ^7.0 || ^8.0 0.16.0PHP ^5.6 || ^7.0 || ^8.0 0.20.0PHP ^7.1 || ^8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/9c4f608be1318c7ca580fff7a037a860abe60a9886a8d12c44be2013c9e20901?d=identicon)[darylldoyle](/maintainers/darylldoyle) --- Top Contributors [![darylldoyle](https://avatars.githubusercontent.com/u/968731?v=4)](https://github.com/darylldoyle "darylldoyle (117 commits)")[![ohader](https://avatars.githubusercontent.com/u/402145?v=4)](https://github.com/ohader "ohader (31 commits)")[![gudmdharalds](https://avatars.githubusercontent.com/u/8835135?v=4)](https://github.com/gudmdharalds "gudmdharalds (8 commits)")[![lolli42](https://avatars.githubusercontent.com/u/2178068?v=4)](https://github.com/lolli42 "lolli42 (7 commits)")[![angrybrad](https://avatars.githubusercontent.com/u/61869?v=4)](https://github.com/angrybrad "angrybrad (5 commits)")[![adamroyle](https://avatars.githubusercontent.com/u/25002779?v=4)](https://github.com/adamroyle "adamroyle (2 commits)")[![norkunas](https://avatars.githubusercontent.com/u/2722872?v=4)](https://github.com/norkunas "norkunas (1 commits)")[![RingusMaximus](https://avatars.githubusercontent.com/u/269293876?v=4)](https://github.com/RingusMaximus "RingusMaximus (1 commits)")[![SeinopSys](https://avatars.githubusercontent.com/u/3200580?v=4)](https://github.com/SeinopSys "SeinopSys (1 commits)")[![snipe](https://avatars.githubusercontent.com/u/197404?v=4)](https://github.com/snipe "snipe (1 commits)")[![abarkine](https://avatars.githubusercontent.com/u/4799171?v=4)](https://github.com/abarkine "abarkine (1 commits)")[![xerc](https://avatars.githubusercontent.com/u/1372590?v=4)](https://github.com/xerc "xerc (1 commits)")[![adamsilverstein](https://avatars.githubusercontent.com/u/2676022?v=4)](https://github.com/adamsilverstein "adamsilverstein (1 commits)")[![brianteeman](https://avatars.githubusercontent.com/u/1296369?v=4)](https://github.com/brianteeman "brianteeman (1 commits)")[![hugopeek](https://avatars.githubusercontent.com/u/5436121?v=4)](https://github.com/hugopeek "hugopeek (1 commits)")[![igor-krein](https://avatars.githubusercontent.com/u/19888345?v=4)](https://github.com/igor-krein "igor-krein (1 commits)")[![joshuabaker](https://avatars.githubusercontent.com/u/160484?v=4)](https://github.com/joshuabaker "joshuabaker (1 commits)") --- Tags php-librarysecuritysvgsvg-sanitizerxml ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/enshrined-svg-sanitize/health.svg) ``` [![Health](https://phpackages.com/badges/enshrined-svg-sanitize/health.svg)](https://phpackages.com/packages/enshrined-svg-sanitize) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)