From 7770953d5ffee2ca982d1ed01321cf15fe9a5636 Mon Sep 17 00:00:00 2001 From: Ben Marshall Date: Thu, 20 Jul 2023 14:09:51 -0500 Subject: [PATCH 1/3] feat(kses): added a helper function for wp_kses to santize allowed svg tags --- includes/safe-svg-tags.php | 94 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/includes/safe-svg-tags.php b/includes/safe-svg-tags.php index a4e120cd..8207bd79 100644 --- a/includes/safe-svg-tags.php +++ b/includes/safe-svg-tags.php @@ -24,4 +24,98 @@ public static function getTags() { */ return apply_filters( 'svg_allowed_tags', parent::getTags() ); } + + /** + * Standard SVG settings for escaping through `wp_kses()` function. + * + * @return array Array of allowed HTML tags and their allowed attributes. + */ + public function kses_allowed_html() { + return array( + 'svg' => array( + 'version' => true, + 'class' => true, + 'fill' => true, + 'height' => true, + 'xml:space' => true, + 'xmlns' => true, + 'xmlns:xlink' => true, + 'viewbox' => true, + 'enable-background' => true, + 'width' => true, + 'x' => true, + 'y' => true, + ), + 'path' => array( + 'clip-rule' => true, + 'd' => true, + 'fill' => true, + 'fill-rule' => true, + 'stroke' => true, + 'stroke-width' => true, + ), + 'g' => array( + 'class' => true, + 'clip-rule' => true, + 'd' => true, + 'transform' => true, + 'fill' => true, + 'fill-rule' => true, + 'stroke' => true, + 'stroke-width' => true, + ), + 'rect' => array( + 'clip-rule' => true, + 'd' => true, + 'transform' => true, + 'fill' => true, + 'fill-rule' => true, + 'stroke' => true, + 'stroke-width' => true, + 'width' => true, + 'height' => true, + ), + 'polygon' => array( + 'clip-rule' => true, + 'd' => true, + 'fill' => true, + 'fill-rule' => true, + 'stroke' => true, + 'stroke-width' => true, + 'points' => true, + ), + 'circle' => array( + 'clip-rule' => true, + 'd' => true, + 'fill' => true, + 'fill-rule' => true, + 'stroke' => true, + 'stroke-width' => true, + 'cx' => true, + 'cy' => true, + 'r' => true, + ), + 'lineargradient' => array( + 'id' => true, + 'gradientunits' => true, + 'x' => true, + 'y' => true, + 'x2' => true, + 'y2' => true, + 'gradienttransform' => true, + ), + 'stop' => array( + 'offset' => true, + 'style' => true, + ), + 'image' => array( + 'height' => true, + 'width' => true, + 'xlink:href' => true, + ), + 'defs' => array( + 'clipPath' => true, + ), + ); + } } From 145103be5cfc8f5bdade328404a15ec87037af1e Mon Sep 17 00:00:00 2001 From: Ben Marshall Date: Thu, 20 Jul 2023 14:54:40 -0500 Subject: [PATCH 2/3] feat(kses): added unit test for kses_allowed_html --- includes/safe-svg-tags.php | 2 +- tests/unit/test-safe-svg-tags.php | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/includes/safe-svg-tags.php b/includes/safe-svg-tags.php index 8207bd79..18ac7951 100644 --- a/includes/safe-svg-tags.php +++ b/includes/safe-svg-tags.php @@ -30,7 +30,7 @@ public static function getTags() { * * @return array Array of allowed HTML tags and their allowed attributes. */ - public function kses_allowed_html() { + public static function kses_allowed_html() { return array( 'svg' => array( 'version' => true, diff --git a/tests/unit/test-safe-svg-tags.php b/tests/unit/test-safe-svg-tags.php index 0b8688b2..5535a717 100644 --- a/tests/unit/test-safe-svg-tags.php +++ b/tests/unit/test-safe-svg-tags.php @@ -47,4 +47,14 @@ public function test_get_tags() { $this->assertContains( 'customTag', $svg_tags ); $this->assertSame( $svg_tags, $filtered_svg_tags ); } + + /** + * Test the kses_allowed_html function. + * + * @throws PHPUnit\Framework\AssertionFailedError If the function does not return an array. + */ + public function test_kses_allowed_html() { + $allowed_html = SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html(); + $this->assertIsArray( $allowed_html ); + } } From 6caa7ba82f700477cc5f23af6aafd1f5de758a5b Mon Sep 17 00:00:00 2001 From: Ben Marshall Date: Thu, 20 Jul 2023 14:59:39 -0500 Subject: [PATCH 3/3] feat(kses_allowed_html): updated the documentation --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index fb41a314..16fd7bf4 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,14 @@ add_filter( 'svg_allowed_tags', function ( $tags ) { } ); ``` +### Can `wp_kses` be used with a helper to sanitize an SVG? + +Indeed, you can accomplish this with `\SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html()`: + +```php +echo wp_kses('', \SafeSvg\SafeSvgTags\safe_svg_tags::kses_allowed_html()) +``` + ## Support Level **Stable:** 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.