Sanitizing SVG using PHP

删除回忆录丶 提交于 2019-12-03 07:01:45
Bertrand

I am working with xml and PHP but I am not sure at all for your question. Please take it as an idea/suggestion, not more.

SimpleXML use libxml to load the xml content. http://www.php.net/manual/en/simplexml.requirements.php

You can disable the external entities using:

libxml_disable_entity_loader (TRUE)

http://www.php.net/manual/en/function.libxml-disable-entity-loader.php

before loading your file with simpleXML.

Then you could validate against SVG schema

http://us3.php.net/manual/en/domdocument.schemavalidate.php or http://us3.php.net/manual/en/domdocument.validate.php

The only concern I would see is that svg could contain script element. http://www.w3.org/TR/SVG/script.html#ScriptElement

There information on 1.1 DTD here: http://www.w3.org/Graphics/SVG/1.1/DTD/svg-framework.mod http://www.w3.org/TR/2003/REC-SVG11-20030114/REC-SVG11-20030114.pdf

You might provide a SVG DTD with a modified version of the script element or loop through elements to prevent the script element to be present.

It won't be perfect, but at least better than nothing.

You need to sanitize SVG using XML parser + whitelist.

Because SVG already has multiple ways to execute code and future extensions may add additional methods, you simply cannot blacklist "known dangerous" constructs. Whitelisting safe elements and attributes does work as long as you correctly handle all the XML corner cases (e.g. XSLT stylesheets, entity expansions, external entity references).

Example implementations: https://github.com/alnorris/SVG-Sanitizer/blob/master/SvgSanitizer.php (MIT license) or https://github.com/darylldoyle/svg-sanitizer (GPL v2 license)

More information about attack vectors that you have to consider while selecting which features you want to support:

You can use SVG Sanitize package: https://packagist.org/packages/enshrined/svg-sanitize

Has 500k installs on the date this answer is written.

use enshrined\svgSanitize\Sanitizer;

// Create a new sanitizer instance
$sanitizer = new Sanitizer();

// Load the dirty svg
$dirtySVG = file_get_contents('filthy.svg');

// Pass it to the sanitizer and get it back clean
$cleanSVG = $sanitizer->sanitize($dirtySVG);

// Now do what you want with your clean SVG/XML data
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!