Escaping and sanitizing SVGs in metabox textarea

Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer

Here is an example of how this could be used:

// Now do what you want with your clean SVG/XML data

function your_save_meta( $post_id, $post, $update ) {

    // - Update the post's metadata.

    if ( isset( $_POST['svg_meta'] ) ) {

        // Load the sanitizer. (This path will need to be updated)
        use enshrined\svgSanitize\Sanitizer;

        // Create a new sanitizer instance
        $sanitizer = new Sanitizer();

        // Pass your meta data to the sanitizer and get it back clean
        $cleanSVG = $sanitizer->sanitize($_POST['svg_meta']);

        // Update your post meta
        update_post_meta( $post_id, 'svg_meta_name', $cleanSVG );

    }

}
add_action( 'save_post', 'your_save_meta', 10, 3 );

Related Posts:

  1. Escape hexadecimals/rgba values
  2. Must I serialize/sanitize/escape array data before using set_transient?
  3. How to use wp_filter_oembed_result?
  4. Escaping data from database (users table) is necessary?
  5. Should I sanitize an email address before passing it to the is_email() function?
  6. Should HTML output be passed through esc_html() AND wp_kses()?
  7. Sanitize and data validation with apply_filters() function
  8. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  9. What’s the difference between esc_* functions?
  10. Reason for Lowercase usernames
  11. What is the best way to sanitize data?
  12. How to escape custom css?
  13. Escaping WP_Query tax_query when term has special character(s)
  14. Should nonce be sanitized?
  15. esc_url removes white space. Can I change that to using ‘-‘?
  16. WP Coding standards – escaping the inescapable?
  17. Sanitatizing when using the posts_where hook
  18. why is esc_html() returning nothing given a string containing a high-bit character?
  19. Sanitizing comments or escaping comment_text()
  20. Sanitizing, Validating and Escaping in WordPress (Plugin)
  21. How Could I sanitize the receive data from this code
  22. Echo JavaScript Safely
  23. How to sanitize user input?
  24. Which escape function to use when escaping an email or plain text?
  25. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  26. wp_kses ignore allowed and allow everything
  27. Sanitize array callback for the WordPress Settings API
  28. What is the safe way to print tracking code / pixel code before tag or tag
  29. How to escape $_GET and check if isset?
  30. How to escape html generate by a loop
  31. What’s a safe / good way to output HTML safely within WordPress templates?
  32. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  33. Sanitizing output that contains quotes?
  34. Do we need to escape data that we receive from theme options?
  35. WP_Customize_Manager: How to get control ID
  36. Escaping WP_Query tax_query when term has special character(s)
  37. Escaping and sanitization
  38. Escaping WP_Query tax_query when term has special character(s)
  39. Sanitization html output itself
  40. Post text sanitization after publishing/editing – changes are not saved
  41. wp_set_object_terms() without accents
  42. esc_url, esc_url_raw or sanitize_url?
  43. Properly sanitize an input field “Name “
  44. how to sanitizing $_POST with the correct way?
  45. What is the proper way to sanitize $_POST and $_GET vars?
  46. WooCommerce custom SVG coloring tool [closed]
  47. Why is sanitize_text_field() selectively trimming data?
  48. What are all the escape characters?
  49. Which characters need to be escaped when using Bash?
  50. what is a good method to sanitize the whole $_POST array in php?
  51. How to escape apostrophe (‘) in MySql?
  52. How to safely sanitize a textarea which takes full HTML input
  53. Can’t extract and set SVG dimensions
  54. Escaping quotes from shortcode attributes
  55. esc_attr / esc_html / esc_url in echos
  56. Do Cookies Need to be Sanatized Before Being Saved?
  57. Do you need to escape hard coded plain text?
  58. What is the difference between strip_tags and wp_filter_nohtml_kses?
  59. Adding extra SVGs to TwentyNineteen child theme using class TwentyNineteen_SVG_Icons
  60. Allowing SVG uploads in media uploader without plug-in
  61. When outputting a static string to the page, is it necessary to escape the output?
  62. I’m confused about URL sanitization in meta boxes
  63. Is default functions like update_post_meta safe to use user inputs?
  64. Who is responsible for data sanitization in WordPress development?
  65. Escape post image attachments added to template
  66. How to sanitize my cookie name
  67. MITM risk of not sanitizing?
  68. Base64 & JSON Encode array in PHP, use as HTML data attribute, decode and parse in JavaScript …. with proper Escaping
  69. How to get my post title to work with an apostrophe (‘s)?
  70. Is wp_kses the right approach in sanitizing this string?
  71. Seeking clarity on data sanitization fields for settings textarea
  72. Are all hooks/functions tied to Kses meant for sanitization?
  73. Why the WP Core team does not allow filter_* functions? [closed]
  74. data-type=”” … needed post tags stripped of characters
  75. wordpress is adding a second backslash when I use addslashes
  76. confused about sanitize_email after is_email [duplicate]
  77. HTML escaping data with ajax requests
  78. Invalidate username if it contains @ symbol
  79. Contact Form Security
  80. How to safely escape data that contains HTML attributes
  81. Change user nicename without sanitize
  82. How to allow single quote with esc_html__() without sprintf()
  83. HTML in category name
  84. Wrapping add_query_arg with esc_url not working
  85. wordpress post not showing my “” text>?
  86. Do I need to sanitize $_POST[‘keyword’] before send to ‘s’ parameter?
  87. Whitelist a single SVG for use in post_content
  88. Completely remove SVG icon load in child theme of Twenty Twenty-one theme
  89. SVG Upload to WordPress Issue
  90. import svg-files from wxr – (upload works, import not)
  91. site_url() returns with additional backslashes
  92. Trouble creating custom sanitization function when uploading video files
  93. Sanitize and Save metabox values
  94. Why are some SVG-images not visible in my footer?
  95. SVG showing only in square ratio (using elementor) [closed]
  96. Does it make sense to sanitize the output of an SVG file?
  97. how to escape alert/window.location.replace with variable
  98. What is best practice when escaping the_title()?
  99. If necessary, how should wp_get_attachment_image() and its parameters be escaped?
  100. Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)

Leave a Comment