phphtmlpurifier

How do I allow base64 svg in img src?


I'm using HTMLPurifier to make sure there is no malicious user input.

I'm having a hard time with base64 images. The regular one is already solved.
$config->set('URI.AllowedSchemes', ['data' => true]);

But how about the following?
<img src="data:image/svg+xml;base64,PHN2Zy...4MTEpIi8+PC9zdmc+Cg==" />


Solution

  • For everyone looking for a solution.. there is no built in way to allow base64 svg images. But there is a way to solve it.

    I could not find an official documentation, but you can write custom validations.

    <?php
    
    namespace App\Services\HTMLPurifier;
    
    use HTMLPurifier_AttrDef_URI;
    
    /**
     * Class ParameterURIDef
     * @author Artem Schander
     */
    class ParameterURIDef extends HTMLPurifier_AttrDef_URI
    {
        public function validate($uri, $config, $context)
        {
            if (preg_match('/^data:image\/svg\+xml;base64,([^\"]*)$/', $uri)) {
                return true;
            }
    
            return parent::validate($uri, $config, $context);
        }
    }
    
    $config = HTMLPurifier_Config::createDefault();
    $config->set('URI.AllowedSchemes', ['data' => true]);
    $definition = $config->getHTMLDefinition(true);
    $definition->addAttribute('img', 'src', new \App\Services\HTMLPurifier\ParameterURIDef());
    
    $HTMLPurifier = new HTMLPurifier($config);