Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added a helper function for wp_kses to sanitize a SVG #137

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,14 @@ add_filter( 'svg_allowed_tags', function ( $tags ) {
} );
```

### Can `wp_kses` be used with a helper to sanitize an SVG?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: kses will not sanitise SVGs, so we either need to change this title, or re-think the use-case for this filter.


Indeed, you can accomplish this with `\SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html()`:

```php
echo wp_kses('<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 25"><path fill="currentcolor" d="M17.525 9.302H14v-2c0-1.032.084-1.682 1.563-1.682h1.868V2.44a26.065 26.065 0 0 0-2.738-.138C11.98 2.302 10 3.959 10 7v2.3H7v4h3v9h4V13.3l3.066-.001.459-3.996Z"/></svg>', \SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html())
```

## Support Level

**Stable:** 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.
Expand Down
94 changes: 94 additions & 0 deletions includes/safe-svg-tags.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,98 @@ public static function getTags() {
*/
return apply_filters( 'svg_allowed_tags', parent::getTags() );
}

/**
* Standard SVG settings for escaping through `wp_kses()` function.
*
* @return array Array of allowed HTML tags and their allowed attributes.
*/
public static function kses_allowed_html() {
return array(
'svg' => array(
'version' => true,
'class' => true,
'fill' => true,
'height' => true,
'xml:space' => true,
'xmlns' => true,
'xmlns:xlink' => true,
'viewbox' => true,
'enable-background' => true,
'width' => true,
'x' => true,
'y' => true,
),
'path' => array(
'clip-rule' => true,
'd' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
),
'g' => array(
'class' => true,
'clip-rule' => true,
'd' => true,
'transform' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
),
'rect' => array(
'clip-rule' => true,
'd' => true,
'transform' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
'width' => true,
'height' => true,
),
'polygon' => array(
'clip-rule' => true,
'd' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
'points' => true,
),
'circle' => array(
'clip-rule' => true,
'd' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
'cx' => true,
'cy' => true,
'r' => true,
),
'lineargradient' => array(
'id' => true,
'gradientunits' => true,
'x' => true,
'y' => true,
'x2' => true,
'y2' => true,
'gradienttransform' => true,
),
'stop' => array(
'offset' => true,
'style' => true,
),
'image' => array(
'height' => true,
'width' => true,
'xlink:href' => true,
),
'defs' => array(
'clipPath' => true,
),
);
}
}
10 changes: 10 additions & 0 deletions tests/unit/test-safe-svg-tags.php
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,14 @@ public function test_get_tags() {
$this->assertContains( 'customTag', $svg_tags );
$this->assertSame( $svg_tags, $filtered_svg_tags );
}

/**
* Test the kses_allowed_html function.
*
* @throws PHPUnit\Framework\AssertionFailedError If the function does not return an array.
*/
public function test_kses_allowed_html() {
$allowed_html = SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html();
$this->assertIsArray( $allowed_html );
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thought (non-blocking): This feels like adding a test just to have a test. I'd prefer it if we were either verifying that the correct items were stripped from an SVG, or that the correct params/attributes are included.

}
}