Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.
Safe SVG is the best way to Allow SVG Uploads in WordPress!
It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.
add_filter( 'safe_svg_optimizer_enabled', '__return_true' );
Initially a proof of concept for #24251.
SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.
SVG Optimization is done through the following library: https://github.com/svg/svgo.
Install through the WordPress directory or download, unzip and upload the files to your /wp-content/plugins/
directory
Yes, this can be done using the svg_allowed_attributes
and svg_allowed_tags
filters.
They take one argument that must be returned. See below for examples:
add_filter( 'svg_allowed_attributes', function ( $attributes ) { // Do what you want here... // This should return an array so add your attributes to // to the $attributes array before returning it. E.G. $attributes[] = 'target'; // This would allow the target="" attribute. return $attributes; } ); add_filter( 'svg_allowed_tags', function ( $tags ) { // Do what you want here... // This should return an array so add your tags to // to the $tags array before returning it. E.G. $tags[] = 'use'; // This would allow the <use> element. return $tags; } );
safe_svg_current_user_can_upload
, allowing more control over who can upload SVG files (props @dkotter, @iamdharmesh via #193).admin_post_thumbnail_html
filter with just two arguments (props @kmgalanakis, @dkotter, @liz1kiweno via #196).$image_meta
is not an array (props @faisal-alvi, @dkotter, @drazenbebic, @kirtangajjar via #203).download-artifact
from v3 to v4 (props @iamdharmesh, @jeffpaul via #181).lee-dohm/no-response
with actions/stale
to help with closing no-response/stale issues (props @jeffpaul, @dkotter via #183).webpack-dev-middleware
from 5.3.3 to 5.3.4 (props @dependabot, @dkotter via #185).express
from 4.18.2 to 4.19.2 (props @dependabot, @dkotter via #188).svg_dimensions
function to be more performant (props @sksaju, @cjyabraham, @bmarshall511, @Hercilio1, @darylldoyle via #154, #174).axios
from 0.25.0 to 1.6.2 and @wordpress/scripts
from 26.0.0 to 26.18.0 (props @dependabot, @ravinderk via #166).follow-redirects
from 1.15.3 to 1.15.6 and ip
from 1.1.8 to 1.1.9 (props @dependabot, @dkotter via #169, #177).theme.json
(props @tobeycodes, @dkotter via #161).apiVersion
3 for our SVG Icon block (props @fabiankaegy, @ravinderk, @jeffpaul, @dkotter via #133).fill-rule
attribute (props @zamanq, @jeffpaul, @iamdharmesh via #152).postcss
from 8.4.20 to 8.4.31 (props @dependabot, @faisal-alvi via #155).@cypress/request
from 2.88.12 to 3.0.1 and cypress
from 10.11.0 to 13.3.0 (props @dependabot, @ravinderk via #156).@babel/traverse
from 7.20.12 to 7.23.2 (props @dependabot, @iamdharmesh via #158).safe_svg_optimizer_enabled
filter (props @gsarig, @peterwilsoncc, @Sidsector9, @darylldoyle, @faisal-alvi, @dkotter, @ravinderk via #79, #145).Active
to Stable
(props @Sidsector9, @iamdharmesh via #100).class_exists
check (props @szepeviktor, @iamdharmesh via #120).SimpleXML
exists before using it (props @sdmtt, @faisal-alvi via #140).semver
from 5.7.1 to 5.7.2 (props @dependabot via #134).word-wrap
from 1.2.3 to 1.2.5 (props @dependabot via #141).tough-cookie
from 4.1.2 to 4.1.3 and @cypress/request
from 2.88.10 to 2.88.12 (props @dependabot via #146).