SVG files greater than 10Mb won't be sanitized
Closed this issue · 2 comments
Recently had a report of an SVG not being uploaded correctly within the Safe SVG WordPress plugin (which uses this library). In investigating, found out that DOMDocument::loadXML only supports files that are 10Mb or under. The SVG that was having issues was slightly over that mark.
There is a config option we can pass in to allow larger files (LIBXML_PARSEHUGE) which did fix this reported issue. Not sure if there's any downside to this though.
Would need to change this line:
https://github.com/darylldoyle/svg-sanitizer/blob/master/src/Sanitizer.php#L201
to
$loaded = $this->xmlDocument->loadXML($dirty, LIBXML_PARSEHUGE);From PHP docs (https://www.php.net/manual/en/libxml.constants.php):
Sets XML_PARSE_HUGE flag, which relaxes any hardcoded limit from the parser. This affects limits like maximum depth of a document or the entity recursion, as well as limits of the size of text nodes.
The only thing that should be checked manually then, concerns recursions.