enshrined/svg-sanitize
PHP SVG/XML sanitizer inspired by DOMPurify. Clean untrusted SVGs with a simple sanitize() call, optional custom tag/attribute whitelists, remote reference stripping to prevent leaks, issue reporting, and output minification. Returns clean XML or false on parse errors.
Architecture fit: Excellent for Laravel as a pure PHP package leveraging ext-dom/ext-libxml with no framework-specific dependencies. Integrates cleanly via service container or middleware, fitting standard MVC patterns without requiring architectural changes.
Integration feasibility: High. Composer installation is trivial (composer require enshrined/svg-sanitize), and the API is minimal (single sanitize() method). Proven real-world usage in WordPress (Safe SVG plugin) and Drupal modules reduces implementation risk.
Technical risk: Moderate. GPL-2.0 license conflicts with proprietary software policies. Suspicious "2025-08-12" release date (likely data error) and low GitHub activity (last commit Sept 2023) raise maintenance concerns. Packagist shows 0 dependents despite CMS integrations.
Key questions:
Stack fit: Native PHP compatibility ensures seamless integration into Laravel's stack. Works with any PSR-7 HTTP stack and can be wrapped in a service provider, custom validator rule, or middleware without conflicts.
Migration path: Add via Composer, then integrate into upload pipeline (e.g., sanitize before Storage::put()). Existing validation logic can be extended by adding sanitizer checks in controller logic or custom rules.
Compatibility: Requires PHP 7.2+ with DOM/libxml extensions. Fully compatible with Symfony, Laravel, and other PHP frameworks. No known conflicts with common Laravel packages like Intervention Image.
Sequencing: 1) Install via Composer; 2) Create singleton sanitizer instance in service container; 3) Implement in upload middleware or controller; 4) Test with sample SVGs (including edge cases like malformed XML); 5) Configure whitelists and remote reference blocking as needed.
Maintenance: GPL-2.0 requires legal review for proprietary projects. Community support via GitHub issues but low recent activity may slow fixes. WordPress/Drupal usage provides indirect maintenance via CMS ecosystems, but internal ownership is likely needed for critical issues.
Support: Comprehensive documentation (README, demo tool, CLI scanner) but lacks enterprise support options. Debugging relies on getXmlIssues() and capturing libxml errors—no built-in logging hooks.
Scaling: CPU-bound operation; minify(true) reduces storage/bandwidth but doesn't improve processing speed. For >50 SVGs/sec, implement async queues or cache sanitized results. Performance testing recommended under peak load.
Failure modes: Malformed XML returns false with cryptic errors unless libxml errors are captured beforehand. Remote reference blocking adds ~15% overhead. Silent failures possible if getXmlIssues() isn't logged.
Ramp-up: Low learning curve due to simple API and clear examples. Developers need basic SVG security knowledge and DOM manipulation understanding. Demo tool and WordPress plugin examples accelerate adoption—typically <1 day for basic integration.
How can I help you explore Laravel packages today?