Make sure nested php tags are also removed when sanitising svg

src/Sanitizer.php

@@ -220,8 +220,13 @@ public function sanitize($dirty)
             return '';
         }
 
-        // Strip php tags
-        $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty);
+        do {
+            /*
+             * recursively remove php tags because they can be hidden inside tags
+             * i.e. <?p<?php test?>hp echo . ' danger! ';?>
+             */
+            $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty);
+        } while (preg_match('/<\?(=|php)(.+?)\?>/i', $dirty) != 0);
 
         $this->resetInternal();
         $this->setUpBefore();

tests/SanitizerTest.php

@@ -308,34 +308,34 @@ public function testLargeUseDOSattacksAreNullified()
         self::assertXmlStringEqualsXmlString($expected, $cleanData);
     }
 
-	public function testInvalidNodesAreHandled()
-	{
-		$dataDirectory = __DIR__ . '/data';
-		$initialData = file_get_contents($dataDirectory . '/htmlTest.svg');
-		$expected = file_get_contents($dataDirectory . '/htmlClean.svg');
+    public function testInvalidNodesAreHandled()
+    {
+        $dataDirectory = __DIR__ . '/data';
+        $initialData = file_get_contents($dataDirectory . '/htmlTest.svg');
+        $expected = file_get_contents($dataDirectory . '/htmlClean.svg');
 
-		$sanitizer = new Sanitizer();
-		$sanitizer->minify(false);
-		$cleanData = $sanitizer->sanitize($initialData);
+        $sanitizer = new Sanitizer();
+        $sanitizer->minify(false);
+        $cleanData = $sanitizer->sanitize($initialData);
 
-		self::assertXmlStringEqualsXmlString($expected, $cleanData);
-	}
+        self::assertXmlStringEqualsXmlString($expected, $cleanData);
+    }
 
     /**
      * @test
      */
-	public function cdataSectionIsSanitized()
-	{
-		$dataDirectory = __DIR__ . '/data';
-		$initialData = file_get_contents($dataDirectory . '/cdataTest.svg');
-		$expected = file_get_contents($dataDirectory . '/cdataClean.svg');
+    public function cdataSectionIsSanitized()
+    {
+        $dataDirectory = __DIR__ . '/data';
+        $initialData = file_get_contents($dataDirectory . '/cdataTest.svg');
+        $expected = file_get_contents($dataDirectory . '/cdataClean.svg');
 
-		$sanitizer = new Sanitizer();
-		$sanitizer->minify(false);
-		$cleanData = $sanitizer->sanitize($initialData);
+        $sanitizer = new Sanitizer();
+        $sanitizer->minify(false);
+        $cleanData = $sanitizer->sanitize($initialData);
 
-		self::assertXmlStringEqualsXmlString($expected, $cleanData);
-	}
+        self::assertXmlStringEqualsXmlString($expected, $cleanData);
+    }
 
     /**
      * @test
@@ -368,4 +368,38 @@ public function formDataisSanitized()
 
         self::assertXmlStringEqualsXmlString($expected, $cleanData);
     }
+
+    /**
+     * @test
+     */
+    public function maliciousSvgJsSanitized()
+    {
+        $dataDirectory = __DIR__ . '/data';
+        $initialData = file_get_contents($dataDirectory . '/maliciousJsAndPhpTest.svg');
+        $expected = file_get_contents($dataDirectory . '/maliciousJsAndPhpClean.svg');
+
+
+        $sanitizer = new Sanitizer();
+        $sanitizer->minify(false);
+        $cleanData = $sanitizer->sanitize($initialData);
+
+        self::assertXmlStringEqualsXmlString($expected, $cleanData);
+    }
+
+    /**
+     * @test
+     */
+    public function maliciousSvgPhpTagsStripped()
+    {
+        $dataDirectory = __DIR__ . '/data';
+        $initialData = file_get_contents($dataDirectory . '/maliciousJsAndPhpTest.svg');
+
+        $sanitizer = new Sanitizer();
+        $sanitizer->minify(false);
+        $cleanData = $sanitizer->sanitize($initialData);
+
+        foreach (['<?php', '<?='] as $value) {
+            self::assertStringNotContainsString($value, $cleanData);
+        }
+    }
 }