July 05, 2024

Safe SVG Plugin

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

Safe SVG is the best way to Allow SVG Uploads in WordPress!

It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.

Current Features

Sanitised SVGs – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.
SVGO Optimisation – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code: add_filter( 'safe_svg_optimizer_enabled', '__return_true' );
View SVGs in the Media Library – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.
Choose Who Can Upload – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.

Initially a proof of concept for #24251.

SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.

SVG Optimization is done through the following library: https://github.com/svg/svgo.

Installation

Install through the WordPress directory or download, unzip and upload the files to your /wp-content/plugins/ directory

FAQ

Can we change the allowed attributes and tags?

Yes, this can be done using the svg_allowed_attributes and svg_allowed_tags filters.
They take one argument that must be returned. See below for examples:

add_filter( 'svg_allowed_attributes', function ( $attributes ) { // Do what you want here... // This should return an array so add your attributes to // to the $attributes array before returning it. E.G. $attributes[] = 'target'; // This would allow the target="" attribute. return $attributes; } ); add_filter( 'svg_allowed_tags', function ( $tags ) { // Do what you want here... // This should return an array so add your tags to // to the $tags array before returning it. E.G. $tags[] = 'use'; // This would allow the <use> element. return $tags; } );

Changelog

2.2.5 – 2024-06-27

Added: New filter, safe_svg_current_user_can_upload, allowing more control over who can upload SVG files (props @dkotter, @iamdharmesh via #193).
Fixed: Fatal error when applying the admin_post_thumbnail_html filter with just two arguments (props @kmgalanakis, @dkotter, @liz1kiweno via #196).
Fixed: Prevent PHP fatal error when the value of the filtered block categories is not an array (props @kmgalanakis, @dkotter, @cguidog via #200).
Fixed: Handled PHP warning when the $image_meta is not an array (props @faisal-alvi, @dkotter, @drazenbebic, @kirtangajjar via #203).

2.2.4 – 2024-03-28

Changed: Upgrade the download-artifact from v3 to v4 (props @iamdharmesh, @jeffpaul via #181).
Changed: Replaced lee-dohm/no-response with actions/stale to help with closing no-response/stale issues (props @jeffpaul, @dkotter via #183).
Fixed: Ensure the svg file can be loaded before we try accessing it’s attributes (props @dkotter, @metashield-ie, @ocean90, @darylldoyle, @faisal-alvi via #186).
Fixed: Ensure we don’t throw JS errors in the Classic Editor when the optimizer feature is turned on (props @dkotter, @turtlepod, @faisal-alvi via #187).
Security: Bump webpack-dev-middleware from 5.3.3 to 5.3.4 (props @dependabot, @dkotter via #185).
Security: Bump express from 4.18.2 to 4.19.2 (props @dependabot, @dkotter via #188).

2.2.3 – 2024-03-20

Added: Support for the WordPress.org plugin preview (props @dkotter, @jeffpaul via #167).
Changed: Bump WordPress “tested up to” version 6.5 (props @dkotter, @jeffpaul via #180).
Changed: Clean up NPM dependencies and update node to v20 (props @Sidsector9, @dkotter via #172).
Fixed: Refactor the svg_dimensions function to be more performant (props @sksaju, @cjyabraham, @bmarshall511, @Hercilio1, @darylldoyle via #154, #174).
Fixed: Address fatal JS error when optimization is enabled and an item is published without blocks (props @psorensen, @tictag, @dkotter via #173).
Security: Bump axios from 0.25.0 to 1.6.2 and @wordpress/scripts from 26.0.0 to 26.18.0 (props @dependabot, @ravinderk via #166).
Security: Bump follow-redirects from 1.15.3 to 1.15.6 and ip from 1.1.8 to 1.1.9 (props @dependabot, @dkotter via #169, #177).

2.2.2 – 2023-11-21

Changed: Bump WordPress “tested up to” version 6.4 (props @qasumitbagthariya, @jeffpaul via #162, #163).
Fixed: Ensure CSS applies properly to the SVG Icon block when added via theme.json (props @tobeycodes, @dkotter via #161).

2.2.1 – 2023-10-23

Changed: Update to apiVersion 3 for our SVG Icon block (props @fabiankaegy, @ravinderk, @jeffpaul, @dkotter via #133).
Fixed: Address an error due to the SVG Icon block using the fill-rule attribute (props @zamanq, @jeffpaul, @iamdharmesh via #152).
Security: Bump postcss from 8.4.20 to 8.4.31 (props @dependabot, @faisal-alvi via #155).
Security: Bump @cypress/request from 2.88.12 to 3.0.1 and cypress from 10.11.0 to 13.3.0 (props @dependabot, @ravinderk via #156).
Security: Bump @babel/traverse from 7.20.12 to 7.23.2 (props @dependabot, @iamdharmesh via #158).

2.2.0 – 2023-08-21

Added: New settings that give the ability to select which user roles can upload SVG files (props @dhanendran, @csloisel, @faisal-alvi, @dkotter via #76).
Added: SVG optimization during upload via SVGO. Feature is disabled by default but can be enabled using the safe_svg_optimizer_enabled filter (props @gsarig, @peterwilsoncc, @Sidsector9, @darylldoyle, @faisal-alvi, @dkotter, @ravinderk via #79, #145).
Added: Spacing and color controls added to SVG block (props @bmarshall511, @iamdharmesh via #135).
Added: Mochawesome reporter added for Cypress test report (props @jayedul, @peterwilsoncc via #124).
Changed: Update Support Level from Active to Stable (props @Sidsector9, @iamdharmesh via #100).
Changed: Update name of SVG block from Safe SVG Icon to Inline SVG (props @bmarshall511, @iamdharmesh via #135).
Changed: Bump WordPress “tested up to” version 6.3 (props @dkotter, @jeffpaul via #144).
Changed: Update the Dependency Review GitHub Action (props @jeffpaul, @Sidsector9 via #128).
Fixed: Add namespace to the class_exists check (props @szepeviktor, @iamdharmesh via #120).
Fixed: Ensure Sanitizer class is properly imported (props @szepeviktor, @iamdharmesh via #121).
Fixed: Remove an unneeded global (props @szepeviktor, @iamdharmesh via #122).
Fixed: Use absolute path in require (props @szepeviktor, @iamdharmesh via #123).
Fixed: Ensure custom classname added to SVG block is output on the front-end (props @bmarshall511, @Sidsector9, @dkotter via #130).
Fixed: Ensure SimpleXML exists before using it (props @sdmtt, @faisal-alvi via #140).
Fixed: Fix markdown issues in the readme (props @szepeviktor, @iamdharmesh via #119).
Security: Bump semver from 5.7.1 to 5.7.2 (props @dependabot via #134).
Security: Bump word-wrap from 1.2.3 to 1.2.5 (props @dependabot via #141).
Security: Bump tough-cookie from 4.1.2 to 4.1.3 and @cypress/request from 2.88.10 to 2.88.12 (props @dependabot via #146).

View historical changelog details here.