This extension will sanitize any SVG file uploaded to the TYPO3 system, but only with the default options. Please read the following section carefully for all details.
This extension removes all script and data values in attributes. This means that, for example, embedded graphics such as PNGs are also removed:
// before parser
<image width="100" height="100" xlink:href="data:image/png;base64,xxxx"/>
// after parser
<image width="100" height="100" />
- Hooks into FAL API:
ResourceFactory::addFile()
andResourceFactory::replaceFile()
- Hooks into FAL API:
ResourceStorage::setFileContents()
- Hooks into DataHandler: Handling files for group/select function
- Hooks into
GeneralUtility::upload_copy_move()
- Hooks into
GeneralUtility::upload_to_tempfile()
- Provide an upgrade wizard for existing SVG files (please read the warnings in the upgrade wizard carefully)
This extension can only sanitize the files if the upload is done in one of the ways described above. For example, if a third-party extension allows to upload files and does not use the core APIs described above, SVG Sanitizer cannot sanitize these files.
Thanks to Daryll Doyle and his svg-sanitizer library
The process of bundling a composer package into a dedicated PHAR archive has been taken from blog post "How to use PHP libraries in legacy extensions".
First install bundler package clue/phar-composer
globally
composer global require clue/phar-composer
Then inside the extension folder create the PHAR archive
(in case global composer binaries are not part of the PATH environment, it's
possible to invoke ~/.composer/vendor/bin/phar-composer)
directly)
cd typo3conf/ext/svg_sanitizer
phar-composer build enshrined/svg-sanitize Libraries/enshrined-svg-sanitize.phar
Please report any issues with the extension at Github.