Escaping and sanitizing SVGs in metabox textarea

Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer

Here is an example of how this could be used:

// Now do what you want with your clean SVG/XML data

function your_save_meta( $post_id, $post, $update ) {

    // - Update the post's metadata.

    if ( isset( $_POST['svg_meta'] ) ) {

        // Load the sanitizer. (This path will need to be updated)
        use enshrined\svgSanitize\Sanitizer;

        // Create a new sanitizer instance
        $sanitizer = new Sanitizer();

        // Pass your meta data to the sanitizer and get it back clean
        $cleanSVG = $sanitizer->sanitize($_POST['svg_meta']);

        // Update your post meta
        update_post_meta( $post_id, 'svg_meta_name', $cleanSVG );

    }

}
add_action( 'save_post', 'your_save_meta', 10, 3 );

Related Posts:

  1. Escape hexadecimals/rgba values
  2. Must I serialize/sanitize/escape array data before using set_transient?
  3. How to use wp_filter_oembed_result?
  4. Escaping data from database (users table) is necessary?
  5. Should I sanitize an email address before passing it to the is_email() function?
  6. Should HTML output be passed through esc_html() AND wp_kses()?
  7. Sanitize and data validation with apply_filters() function
  8. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  9. What’s the difference between esc_* functions?
  10. Reason for Lowercase usernames
  11. What is the best way to sanitize data?
  12. How to escape custom css?
  13. Escaping WP_Query tax_query when term has special character(s)
  14. Should nonce be sanitized?
  15. esc_url removes white space. Can I change that to using ‘-‘?
  16. WP Coding standards – escaping the inescapable?
  17. Sanitatizing when using the posts_where hook
  18. why is esc_html() returning nothing given a string containing a high-bit character?
  19. Sanitizing comments or escaping comment_text()
  20. Sanitizing, Validating and Escaping in WordPress (Plugin)
  21. How Could I sanitize the receive data from this code
  22. Echo JavaScript Safely
  23. How to sanitize user input?
  24. Which escape function to use when escaping an email or plain text?
  25. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  26. wp_kses ignore allowed and allow everything
  27. Sanitize array callback for the WordPress Settings API
  28. What is the safe way to print tracking code / pixel code before tag or tag
  29. How to escape $_GET and check if isset?
  30. How to escape html generate by a loop
  31. What’s a safe / good way to output HTML safely within WordPress templates?
  32. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  33. Sanitizing output that contains quotes?
  34. Do we need to escape data that we receive from theme options?
  35. WP_Customize_Manager: How to get control ID
  36. Escaping WP_Query tax_query when term has special character(s)
  37. Escaping and sanitization
  38. Escaping WP_Query tax_query when term has special character(s)
  39. Sanitization html output itself
  40. Post text sanitization after publishing/editing – changes are not saved
  41. wp_set_object_terms() without accents
  42. esc_url, esc_url_raw or sanitize_url?
  43. Properly sanitize an input field “Name “
  44. how to sanitizing $_POST with the correct way?
  45. How to Git stash pop specific stash in 1.8.3?
  46. Which characters need to be escaped when using Bash?
  47. Data sanitization: Best Practices with code examples
  48. Best Practice for PHP
  49. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  50. What to use instead of wp_kses() in user output
  51. What is the difference between esc_html and wp_filter_nohtml_kses?
  52. Understanding SVG vulnerabilities in WordPress related to a specific fix
  53. How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
  54. How to allow HTML tags into WP Bakery (formerly Visual Composer) `textfield` parameter
  55. Escaping SVG with KSES
  56. Should messages in WP_Error already be html escaped?
  57. Do you need to escape hard coded plain text?
  58. Should I sanitize custom post meta if it is going to be escaped later?
  59. How do I stop HTML entities in a custom meta box from being un-htmlentitied?
  60. Remove tinyMCE from admin and replace with textarea
  61. Adding extra SVGs to TwentyNineteen child theme using class TwentyNineteen_SVG_Icons
  62. wp_sanitize_redirect strips out @ signs (even from parameters) — why?
  63. Why should I escape translatable strings? and how shall i do that?
  64. Do I need to use the esc_html() function on hard coded links?
  65. Set media metadata (i.e. “dimensions” field) on SVG file after extracting it with a filter
  66. How to remove SVG Files inline code of WordPress Footer?
  67. Who is responsible for data sanitization in WordPress development?
  68. When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
  69. wp_query not searching with apostrophe
  70. Storing HTML in wp_options
  71. What is the proper way to validate and sanitize JSON response from REST API?
  72. SVG Featured image not shown in twitter
  73. Modify automatically generation of slug when term is created
  74. What function removes apostrophes when making a slug?
  75. How to sanitize uploaded file filename from a plugin?
  76. Something is unescaping all html entities before output to browser [closed]
  77. Securing/Escaping Output of file content – reading via fread() in PHP
  78. Add other social networks to TwentyNineteen_SVG_Icons class in child theme?
  79. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  80. Theme Customizier sanitize_callback not working
  81. Why the WP Core team does not allow filter_* functions? [closed]
  82. data-type=”” … needed post tags stripped of characters
  83. confused about sanitize_email after is_email [duplicate]
  84. HTML escaping data with ajax requests
  85. Invalidate username if it contains @ symbol
  86. Contact Form Security
  87. How to safely escape data that contains HTML attributes
  88. should I escape a literal url added in functions.php
  89. Change user nicename without sanitize
  90. HTML in category name
  91. Wrapping add_query_arg with esc_url not working
  92. wordpress post not showing my “” text>?
  93. SVG upload does not work
  94. Do I need to sanitize $_POST[‘keyword’] before send to ‘s’ parameter?
  95. Whitelist a single SVG for use in post_content
  96. Completely remove SVG icon load in child theme of Twenty Twenty-one theme
  97. SVG Upload to WordPress Issue
  98. How to make MySQL search queries with quotes
  99. Escape html structure in php
  100. site_url() returns with additional backslashes

Leave a Comment