This extension sanitize every SVG file which is uploaded to the TYPO3 System but only for the default options. Please read the following section for all the details carfully.
This extension remove all script and data values in attributes. This means, that also an embedded PNG is removed. example:
// before parser
<image width="100" height="100" xlink:href="data:image/png;base64,xxxx"/>
// after parser
<image width="100" height="100" />
- Hooks into FAL API:
ResourceFactory::addFile()
andResourceFactory::replaceFile()
- Hooks into FAL API:
ResourceStorage::setFileContents()
- Hooks into DataHandler: Handling files for group/select function
- Hooks into
GeneralUtility::upload_copy_move()
- Hooks into
GeneralUtility::upload_to_tempfile()
- Provide an upgrade wizard for existing SVG files (please read the warnings in the upgrade wizard carefully)
This extension can sanitize the files only if the upload happens by the defined ways above. For example, if a third party extension allows an upload and not make use of the core APIs described above, the sanitizer can't sanitize these files.
Thanks to Daryll Doyle and his svg-sanitizer library
The process of bundling a composer package into a dedicated PHAR archive has been taken from blog post "How to use PHP libraries in legacy extensions".
First install bundler package clue/phar-composer
globally
composer global require clue/phar-composer
Then inside the extension folder create the PHAR archive
(in case global composer binaries are not part of the PATH environment, it's
possible to invoke ~/.composer/vendor/bin/phar-composer)
directly)
cd typo3conf/ext/svg_sanitizer
phar-composer build enshrined/svg-sanitize Libraries/enshrined-svg-sanitize.phar
Please report any issues with the extension at Github.