Allow SVG uploads and sanitize them to stop XML/SVG vulnerabilities
Safe SVG is the best way to Allow SVG Uploads in WordPress!
It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.
Current Features
- Sanitised SVGs – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.
- SVGO Optimisation – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code:
add_filter( 'safe_svg_optimizer_enabled', '__return_true' );
- View SVGs in the Media Library – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.
- Choose Who Can Upload – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.
Initially a proof of concept for #24251.
SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.
SVG Optimization is done through the following library: https://github.com/svg/svgo.
FAQ
Can we change the allowed attributes and tags?
Yes, this can be done using the svg_allowed_attributes and svg_allowed_tags filters.
They take one argument that must be returned. See below for examples:
add_filter( 'svg_allowed_attributes', function ( $attributes ) {
// Do what you want here...
// This should return an array so add your attributes to
// to the $attributes array before returning it. E.G.
$attributes[] = 'target'; // This would allow the target="" attribute.
return $attributes;
} );
add_filter( 'svg_allowed_tags', function ( $tags ) {
// Do what you want here...
// This should return an array so add your tags to
// to the $tags array before returning it. E.G.
$tags[] = 'use'; // This would allow the <use> element.
return $tags;
} );
ChangeLog
2.2.4 – 2024-03-28
- Changed: Upgrade the
download-artifact from v3 to v4 (props @iamdharmesh, @jeffpaul via #181).
- Changed: Replaced
lee-dohm/no-response with actions/stale to help with closing no-response/stale issues (props @jeffpaul, @dkotter via #183).
- Fixed: Ensure the svg file can be loaded before we try accessing it’s attributes (props @dkotter, @metashield-ie, @ocean90, @darylldoyle, @faisal-alvi via #186).
- Fixed: Ensure we don’t throw JS errors in the Classic Editor when the optimizer feature is turned on (props @dkotter, @turtlepod, @faisal-alvi via #187).
- Security: Bump
webpack-dev-middleware from 5.3.3 to 5.3.4 (props @dependabot, @dkotter via #185).
- Security: Bump
express from 4.18.2 to 4.19.2 (props @dependabot, @dkotter via #188).
2.2.3 – 2024-03-20
- Added: Support for the WordPress.org plugin preview (props @dkotter, @jeffpaul via #167).
- Changed: Bump WordPress “tested up to” version 6.5 (props @dkotter, @jeffpaul via #180).
- Changed: Clean up NPM dependencies and update node to v20 (props @Sidsector9, @dkotter via #172).
- Fixed: Refactor the
svg_dimensions function to be more performant (props @sksaju, @cjyabraham, @bmarshall511, @Hercilio1, @darylldoyle via #154, #174).
- Fixed: Address fatal JS error when optimization is enabled and an item is published without blocks (props @psorensen, @tictag, @dkotter via #173).
- Security: Bump
axios from 0.25.0 to 1.6.2 and @wordpress/scripts from 26.0.0 to 26.18.0 (props @dependabot, @ravinderk via #166).
- Security: Bump
follow-redirects from 1.15.3 to 1.15.6 and ip from 1.1.8 to 1.1.9 (props @dependabot, @dkotter via #169, #177).
2.2.2 – 2023-11-21
2.2.1 – 2023-10-23
2.2.0 – 2023-08-21
- Added: New settings that give the ability to select which user roles can upload SVG files (props @dhanendran, @csloisel, @faisal-alvi, @dkotter via #76).
- Added: SVG optimization during upload via SVGO. Feature is disabled by default but can be enabled using the
safe_svg_optimizer_enabled filter (props @gsarig, @peterwilsoncc, @Sidsector9, @darylldoyle, @faisal-alvi, @dkotter, @ravinderk via #79, #145).
- Added: Spacing and color controls added to SVG block (props @bmarshall511, @iamdharmesh via #135).
- Added: Mochawesome reporter added for Cypress test report (props @jayedul, @peterwilsoncc via #124).
- Changed: Update Support Level from
Active to Stable (props @Sidsector9, @iamdharmesh via #100).
- Changed: Update name of SVG block from Safe SVG Icon to Inline SVG (props @bmarshall511, @iamdharmesh via #135).
- Changed: Bump WordPress “tested up to” version 6.3 (props @dkotter, @jeffpaul via #144).
- Changed: Update the Dependency Review GitHub Action (props @jeffpaul, @Sidsector9 via #128).
- Fixed: Add namespace to the
class_exists check (props @szepeviktor, @iamdharmesh via #120).
- Fixed: Ensure Sanitizer class is properly imported (props @szepeviktor, @iamdharmesh via #121).
- Fixed: Remove an unneeded global (props @szepeviktor, @iamdharmesh via #122).
- Fixed: Use absolute path in require (props @szepeviktor, @iamdharmesh via #123).
- Fixed: Ensure custom classname added to SVG block is output on the front-end (props @bmarshall511, @Sidsector9, @dkotter via #130).
- Fixed: Ensure
SimpleXML exists before using it (props @sdmtt, @faisal-alvi via #140).
- Fixed: Fix markdown issues in the readme (props @szepeviktor, @iamdharmesh via #119).
- Security: Bump
semver from 5.7.1 to 5.7.2 (props @dependabot via #134).
- Security: Bump
word-wrap from 1.2.3 to 1.2.5 (props @dependabot via #141).
- Security: Bump
tough-cookie from 4.1.2 to 4.1.3 and @cypress/request from 2.88.10 to 2.88.12 (props @dependabot via #146).
2.1.1 – 2023-04-05
2.1.0 – 2023-03-22
- Added: An SVG Gutenberg Block (props @faisal-alvi, @Sidsector9, @cr0ybot, @darylldoyle, @cbirdsong, @jeffpaul via #80).
- Added: “Build release zip” GitHub Action (props @iamdharmesh, @dkotter, @faisal-alvi via #87).
- Changed: Bump minimum PHP version from 7.0 to 7.4 (props @iamdharmesh, @peterwilsoncc, @vikrampm1 via #82).
- Changed: Bump minimum WordPress version from 4.7 to 5.7 (props @iamdharmesh, @peterwilsoncc, @vikrampm1 via #82).
- Changed: Bump WordPress “tested up to” version 6.1 (props @iamdharmesh, @peterwilsoncc via #85).
- Security: Updates the underlying sanitisation library to pull in a security fix (props @darylldoyle, @faisal-alvi, @Cyxow via #105).
- Security: Bump
got from 10.7.0 to 11.8.5 (props @dependabot via #83).
- Security: Bump
@wordpress/env from 4.9.0 to 5.6.0 (props @dependabot via #83).
- Security: Bump
simple-git from 3.9.0 to 3.16.0 (props @dependabot via #88, #99).
- Security: Bump
loader-utils from 2.0.2 to 2.0.4 (props @dependabot via #92).
- Security: Bump
json5 from 1.0.1 to 1.0.2 (props @dependabot via #91).
- Security: Bump
decode-uri-component from 0.2.0 to 0.2.2 (props @dependabot via #93).
- Security: Bump
markdown-it from 12.0.4 to 12.3.2 (props @dependabot, @peterwilsoncc via #94).
- Security: Bump
@wordpress/scripts from 19.2.4 to 25.1.0 (props @dependabot, @peterwilsoncc via #94).
- Security: Bump
http-cache-semantics from 4.1.0 to 4.1.1 (props @dependabot, @peterwilsoncc via #101).
- Security: Bump
webpack from 5.75.0 to 5.76.1 (props @dependabot, @faisal-alvi via #103).
- Security: Bump
svg-sanitizer from 0.15.2 to 0.16.0 (props @darylldoyle, @faisal-alvi, @Cyxow via #105).
Earlier versions
For the changelog of earlier versions, please refer to the changelog on github.com.
