admin管理员组文章数量:1313121
I want to include inline SVGs in a metabox textarea.
That's easy. What's killing me is how do I sanitize the textarea before saving the postmeta, and how do I escape it?
Halp?
Thanks!
I want to include inline SVGs in a metabox textarea.
That's easy. What's killing me is how do I sanitize the textarea before saving the postmeta, and how do I escape it?
Halp?
Thanks!
Share Improve this question edited Feb 21, 2017 at 20:53 yti-8vzBKekDu asked Feb 20, 2017 at 20:48 yti-8vzBKekDuyti-8vzBKekDu 1013 bronze badges 2- 1 I would recommend reading this: owasp/images/0/03/… – Laxmana Commented Feb 20, 2017 at 22:35
- 1 I had no idea how complex an svg was going to be. Thanks @Laxmana. – yti-8vzBKekDu Commented Feb 21, 2017 at 14:40
2 Answers
Reset to default 3Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github/darylldoyle/svg-sanitizer
Here is an example of how this could be used:
// Now do what you want with your clean SVG/XML data
function your_save_meta( $post_id, $post, $update ) {
// - Update the post's metadata.
if ( isset( $_POST['svg_meta'] ) ) {
// Load the sanitizer. (This path will need to be updated)
use enshrined\svgSanitize\Sanitizer;
// Create a new sanitizer instance
$sanitizer = new Sanitizer();
// Pass your meta data to the sanitizer and get it back clean
$cleanSVG = $sanitizer->sanitize($_POST['svg_meta']);
// Update your post meta
update_post_meta( $post_id, 'svg_meta_name', $cleanSVG );
}
}
add_action( 'save_post', 'your_save_meta', 10, 3 );
Safe SVG (mentioned by @Marc) is by far the best WP plugin I've seen.
It's important to note, though, that it's likely there are ways to bypass it. SVGs are insecure by design; we all think of them as images, but in reality they're mini XML applications.
DOMPurify is the only reliably secure solution that I'm aware of. That's because it runs in JavaScript, so it can analyze objects after they've been parsed by the engine. It's impossible for PHP to do that. You can read more about it in #24251-core.
For most sites, though, Safe SVG is probably a good compromise. For a mission-critical/enterprise/ecommerce site, though, I'd recommend running it through DOMPurify (although it wont be easy).
- Hook into WP's upload process, probably via the
pre_move_uploaded_filefilter provided by_wp_handle_upload(). - Get the value of the uploaded SVG from
$fileas a string, and make an HTTPS request to a Node.js API. - Setup the Node app to accept the string, run it through DOMPurify, and return the result.
- The PHP plugin can then save the sanitized result.
To be practical, though, it's probably better to just avoid SVGs in situations like this, and use an actual image format instead.
本文标签: sanitizationEscaping and sanitizing SVGs in metabox textarea
版权声明:本文标题:sanitization - Escaping and sanitizing SVGs in metabox textarea 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741929008a2405463.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论