[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Tue Jun 2 20:41:16 UTC 2015

#24251: Reconsider SVG inclusion to get_allowed_mime_types
 Reporter:  JustinSainton             |       Owner:
     Type:  enhancement               |      Status:  new
 Priority:  normal                    |   Milestone:  Awaiting Review
Component:  Upload                    |     Version:
 Severity:  minor                     |  Resolution:
 Keywords:  dev-feedback needs-patch  |     Focuses:

Comment (by iandunn):

 Replying to [comment:22 LewisCowles]:
 > It is a feature, not a bug, that SVG's with script tags can be uploaded,
 and it should be incumbent on site owners and contributors to see that
 authorized accessors of their installation of WordPress does not do such

 By that logic, Core should also allow users to upload PHP scripts.

 The [https://wordpress.org/about/philosophy/ majority] of site admins
 aren't going to be aware of SVG security issues, let alone know how to
 protect against them.

 If you want to take on the responsibility of handling the security issues,
 then there's nothing stopping you from just enabling SVG uploads via a
 simple filter.
 > Bugs are softwae behaving in a way that is not expected. When I try to
 upload an SVG file, I expect it to upload.

 Users will also (rightfully) expect WordPress to be secure by default;
 they won't expect that, in order to not get hacked, they have to learn
 about esoteric security issues, and then go through their site disabling
 things that are on by default.

Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list