Skip to content
forked from 10up/safe-svg

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

License

Notifications You must be signed in to change notification settings

johnolek/safe-svg

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

=== Safe SVG ===
Contributors:      enshrined
Donate link:       https://wpsvg.com/
Tags:              svg, sanitize, upload, sanitise, security, svg upload, image, vector, file, graphic, media, mime
Requires at least: 4.0
Tested up to:      5.8
Requires PHP:      5.6
Stable tag:        1.9.9
License:           GPLv2 or later
License URI:       http://www.gnu.org/licenses/gpl-2.0.html

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website

== Description ==

Safe SVG is the best way to Allow SVG Uploads in WordPress!

It gives you the ability to allow SVG uploads whilst making sure that they're sanitized to stop SVG/XML vulnerabilities affecting your site.
It also gives you the ability to preview your uploaded SVGs in the media library in all views.

>**[Loving Safe SVG? Try the Pro version for extra features.](https://wpsvg.com/)**

#### Free Features
* **Sanitised SVGs** - Don't open up security holes in your WordPress site by allowing uploads of unsanitised files.
* **View SVGs in the Media Library** - Gone are the days of guessing which SVG is the correct one, we'll enable SVG previews in the WordPress media library.

#### Pro Features
* **SVGO Optimisation** - You'll have the option to run your SVGs through our SVGO server on upload to save you space.
* **Choose Who Can Upload** - Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.
* **Premium Support** - Pro users get premium support whilst free support is offered in the WordPress forums in our spare time


Initially a proof of concept for [#24251](https://core.trac.wordpress.org/ticket/24251)

SVG Sanitization is done through the following library: [https://github.com/darylldoyle/svg-sanitizer](https://github.com/darylldoyle/svg-sanitizer)

== Installation ==

Install through the WordPress directory or download, unzip and upload the files to your `/wp-content/plugins/` directory

== Frequently Asked Questions ==

= Can we change the allowed attributes and tags? =

Yes, this can be done using the `svg_allowed_attributes` and `svg_allowed_tags` filters.
They take one argument that must be returned. See below for examples:

    add_filter( 'svg_allowed_attributes', function ( $attributes ) {

        // Do what you want here...

        // This should return an array so add your attributes to
        // to the $attributes array before returning it. E.G.

        $attributes[] = 'target'; // This would allow the target="" attribute.

        return $attributes;
    } );


    add_filter( 'svg_allowed_tags', function ( $tags ) {

        // Do what you want here...

        // This should return an array so add your tags to
        // to the $tags array before returning it. E.G.

        $tags[] = 'use'; // This would allow the <use> element.

        return $tags;
    } );

== Changelog ==

= 1.9.9 =
* Fixed issue where 100% width is accidentally converted to 100px width. Props @joehoyle

= 1.9.8 =
* Underlying library update

= 1.9.7 =
* Underlying library update

= 1.9.6 =
* Underlying library update that fixes a security issue

= 1.9.5 =
* Underlying library update that fixes some security issues

= 1.9.4 =
* Fixed a bug causing lots of error log output to do with `safe_svg::fix_direct_image_output()`

= 1.9.3 =
* Fixed a bug causing 0 height and width SVGs

= 1.9.2 =
* Fixed a warning about an Illegal string offset
* Fixed an issue if something other than a WP_Post object is passed in via the `wp_get_attachment_image_attributes` filter.

= 1.9.1 =
* Fixed a warning that was being generated by a change made in 1.9.0.

= 1.9.0 =
* If an image is the correct ratio, allow skipping of the crop popup when setting header/logo images with SVGs.

= 1.8.1 =
* Don't let errors break upload if uploading an empty file
* Fix featured image display in Gutenberg. Props @hendridm :)

= 1.8.0 =
* Pull SVG dimensions from the width/height or viewbox attributes of the SVG.
* Add the role="img" attribute to SVGs

= 1.7.1 =
* Updated underlying lib and added new filters for filtering allowed tags and attributes

= 1.6.1 =
* Images will now use the size chosen when inserted into the page rather than default to 2000px everytime.

= 1.6.0 =
* Fairly big new feature - The library now allows `<use>` elements as long as they don't reference external files!
* You can now also embed safe image types within the SVG and not have them stripped (PNG, GIF, JPG)

= 1.5.3 =
* 1.5.2 introduced an issue that can freeze the media library. This fixes that issue. Sorry!

= 1.5.2 =
* Tested with 4.9.0
* Fixed an issue with SVGs when regenerating media

= 1.5.1 =
* Fix PHP strict standards warning

= 1.5.0 =
* Library update
* role, aria- and data- attributes are now whitelisted to improve accessibility

= 1.4.5 =
* Fixes some issues with defining the size of an SVG.
* Library update

= 1.4.4 =
* SVGs now display as featured images in the admin area

= 1.4.3 =
* WordPress 4.7.3 Compatibility
* Expanded SVG previews in media library

= 1.4.2 =
* Added a check / fix for when mb_* functions are not available

= 1.4.1 =
* Updated underlying library to allow attributes/tags in all case variations

= 1.4.0 =
* Added ability to preview SVG on both grid and list view in the wp-admin media area
* Updated underlying library version

= 1.3.4 =
* A fix for SVGZ uploads failing and not sanitising correctly

= 1.3.3 =
* Allow SVGZ uploads

= 1.3.2 =
* Fix for the mime type issue in 4.7.1. Mad props to @lewiscowles

= 1.3.1 =
* Updated underlying library version

= 1.3.0 =
* Minify SVGs after cleaning so they can be loaded correctly through file_get_contents

= 1.2.0 =
* Added support for camel case attributes such as viewBox

= 1.1.1 =
* Fixed an issue with empty svg elements self-closing

= 1.1.0 =
* Added i18n
* Added da, de ,en, es, fr, nl and ru translations
* Fixed an issue with filename not being pulled over on failed uploads

= 1.0.0 =
* Initial Release

About

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • PHP 98.6%
  • CSS 1.4%