Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a helper function for wp_kses to sanitize a SVG #137

Closed
wants to merge 3 commits into from
Closed

Added a helper function for wp_kses to sanitize a SVG #137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7770953
feat(kses): added a helper function for wp_kses to santize allowed sv…
bmarshall511 Jul 20, 2023
145103b
feat(kses): added unit test for kses_allowed_html
bmarshall511 Jul 20, 2023
6caa7ba
feat(kses_allowed_html): updated the documentation
bmarshall511 Jul 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,14 @@ add_filter( 'svg_allowed_tags', function ( $tags ) {
} );
```

### Can `wp_kses` be used with a helper to sanitize an SVG?
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: kses will not sanitise SVGs, so we either need to change this title, or re-think the use-case for this filter.


Indeed, you can accomplish this with `\SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html()`:

```php
echo wp_kses('<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 25"><path fill="currentcolor" d="M17.525 9.302H14v-2c0-1.032.084-1.682 1.563-1.682h1.868V2.44a26.065 26.065 0 0 0-2.738-.138C11.98 2.302 10 3.959 10 7v2.3H7v4h3v9h4V13.3l3.066-.001.459-3.996Z"/></svg>', \SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html())
```

## Support Level

**Stable:** 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.
Expand Down
94 changes: 94 additions & 0 deletions includes/safe-svg-tags.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,98 @@ public static function getTags() {
*/
return apply_filters( 'svg_allowed_tags', parent::getTags() );
}

/**
* Standard SVG settings for escaping through `wp_kses()` function.
*
* @return array Array of allowed HTML tags and their allowed attributes.
*/
public static function kses_allowed_html() {
return array(
'svg' => array(
'version' => true,
'class' => true,
'fill' => true,
'height' => true,
'xml:space' => true,
'xmlns' => true,
'xmlns:xlink' => true,
'viewbox' => true,
'enable-background' => true,
'width' => true,
'x' => true,
'y' => true,
),
'path' => array(
'clip-rule' => true,
'd' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
),
'g' => array(
'class' => true,
'clip-rule' => true,
'd' => true,
'transform' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
),
'rect' => array(
'clip-rule' => true,
'd' => true,
'transform' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
'width' => true,
'height' => true,
),
'polygon' => array(
'clip-rule' => true,
'd' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
'points' => true,
),
'circle' => array(
'clip-rule' => true,
'd' => true,
'fill' => true,
'fill-rule' => true,
'stroke' => true,
'stroke-width' => true,
'cx' => true,
'cy' => true,
'r' => true,
),
'lineargradient' => array(
'id' => true,
'gradientunits' => true,
'x' => true,
'y' => true,
'x2' => true,
'y2' => true,
'gradienttransform' => true,
),
'stop' => array(
'offset' => true,
'style' => true,
),
'image' => array(
'height' => true,
'width' => true,
'xlink:href' => true,
),
'defs' => array(
'clipPath' => true,
),
);
}
}
10 changes: 10 additions & 0 deletions tests/unit/test-safe-svg-tags.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,14 @@ public function test_get_tags() {
$this->assertContains( 'customTag', $svg_tags );
$this->assertSame( $svg_tags, $filtered_svg_tags );
}

/**
* Test the kses_allowed_html function.
*
* @throws PHPUnit\Framework\AssertionFailedError If the function does not return an array.
*/
public function test_kses_allowed_html() {
$allowed_html = SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html();
$this->assertIsArray( $allowed_html );
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thought (non-blocking): This feels like adding a test just to have a test. I'd prefer it if we were either verifying that the correct items were stripped from an SVG, or that the correct params/attributes are included.

}
}
Loading