Here is a PHP library that was created for sanitizing SVG files that may be worth looking into. https://github.com/darylldoyle/svg-sanitizer
Here is an example of how this could be used:
// Now do what you want with your clean SVG/XML data
function your_save_meta( $post_id, $post, $update ) {
// - Update the post's metadata.
if ( isset( $_POST['svg_meta'] ) ) {
// Load the sanitizer. (This path will need to be updated)
use enshrined\svgSanitize\Sanitizer;
// Create a new sanitizer instance
$sanitizer = new Sanitizer();
// Pass your meta data to the sanitizer and get it back clean
$cleanSVG = $sanitizer->sanitize($_POST['svg_meta']);
// Update your post meta
update_post_meta( $post_id, 'svg_meta_name', $cleanSVG );
}
}
add_action( 'save_post', 'your_save_meta', 10, 3 );
Related Posts:
- Escape hexadecimals/rgba values
- Must I serialize/sanitize/escape array data before using set_transient?
- How to use wp_filter_oembed_result?
- Escaping data from database (users table) is necessary?
- Should I sanitize an email address before passing it to the is_email() function?
- Should HTML output be passed through esc_html() AND wp_kses()?
- Sanitize and data validation with apply_filters() function
- What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
- What’s the difference between esc_* functions?
- Reason for Lowercase usernames
- What is the best way to sanitize data?
- How to escape custom css?
- Escaping WP_Query tax_query when term has special character(s)
- Should nonce be sanitized?
- esc_url removes white space. Can I change that to using ‘-‘?
- WP Coding standards – escaping the inescapable?
- Sanitatizing when using the posts_where hook
- why is esc_html() returning nothing given a string containing a high-bit character?
- Sanitizing comments or escaping comment_text()
- Sanitizing, Validating and Escaping in WordPress (Plugin)
- How Could I sanitize the receive data from this code
- Echo JavaScript Safely
- How to sanitize user input?
- Which escape function to use when escaping an email or plain text?
- WP_Editor – Saving Value into Plugin Option – Stripping HTML
- wp_kses ignore allowed and allow everything
- Sanitize array callback for the WordPress Settings API
- What is the safe way to print tracking code / pixel code before tag or tag
- How to escape $_GET and check if isset?
- How to escape html generate by a loop
- What’s a safe / good way to output HTML safely within WordPress templates?
- Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
- Sanitizing output that contains quotes?
- Do we need to escape data that we receive from theme options?
- WP_Customize_Manager: How to get control ID
- Escaping WP_Query tax_query when term has special character(s)
- Escaping and sanitization
- Escaping WP_Query tax_query when term has special character(s)
- Sanitization html output itself
- Post text sanitization after publishing/editing – changes are not saved
- wp_set_object_terms() without accents
- esc_url, esc_url_raw or sanitize_url?
- Properly sanitize an input field “Name “
- how to sanitizing $_POST with the correct way?
- How to Git stash pop specific stash in 1.8.3?
- Which characters need to be escaped when using Bash?
- Data sanitization: Best Practices with code examples
- Best Practice for PHP
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- What to use instead of wp_kses() in user output
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Understanding SVG vulnerabilities in WordPress related to a specific fix
- How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
- How to allow HTML tags into WP Bakery (formerly Visual Composer) `textfield` parameter
- Escaping SVG with KSES
- Should messages in WP_Error already be html escaped?
- Do you need to escape hard coded plain text?
- Should I sanitize custom post meta if it is going to be escaped later?
- How do I stop HTML entities in a custom meta box from being un-htmlentitied?
- Remove tinyMCE from admin and replace with textarea
- Adding extra SVGs to TwentyNineteen child theme using class TwentyNineteen_SVG_Icons
- wp_sanitize_redirect strips out @ signs (even from parameters) — why?
- Why should I escape translatable strings? and how shall i do that?
- Do I need to use the esc_html() function on hard coded links?
- Set media metadata (i.e. “dimensions” field) on SVG file after extracting it with a filter
- How to remove SVG Files inline code of WordPress Footer?
- Who is responsible for data sanitization in WordPress development?
- When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
- wp_query not searching with apostrophe
- Storing HTML in wp_options
- What is the proper way to validate and sanitize JSON response from REST API?
- SVG Featured image not shown in twitter
- Modify automatically generation of slug when term is created
- What function removes apostrophes when making a slug?
- How to sanitize uploaded file filename from a plugin?
- Something is unescaping all html entities before output to browser [closed]
- Securing/Escaping Output of file content – reading via fread() in PHP
- Add other social networks to TwentyNineteen_SVG_Icons class in child theme?
- Prevent invalid or empty values from being saved to the database and retain the form field values upon error
- Theme Customizier sanitize_callback not working
- Why the WP Core team does not allow filter_* functions? [closed]
- data-type=”” … needed post tags stripped of characters
- confused about sanitize_email after is_email [duplicate]
- HTML escaping data with ajax requests
- Invalidate username if it contains @ symbol
- Contact Form Security
- How to safely escape data that contains HTML attributes
- should I escape a literal url added in functions.php
- Change user nicename without sanitize
- HTML in category name
- Wrapping add_query_arg with esc_url not working
- wordpress post not showing my “” text>?
- SVG upload does not work
- Do I need to sanitize $_POST[‘keyword’] before send to ‘s’ parameter?
- Whitelist a single SVG for use in post_content
- Completely remove SVG icon load in child theme of Twenty Twenty-one theme
- SVG Upload to WordPress Issue
- How to make MySQL search queries with quotes
- Escape html structure in php
- site_url() returns with additional backslashes