[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Tue Jun 2 20:41:16 UTC 2015
#24251: Reconsider SVG inclusion to get_allowed_mime_types
--------------------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: minor | Resolution:
Keywords: dev-feedback needs-patch | Focuses:
--------------------------------------+------------------------------
Comment (by iandunn):
Replying to [comment:22 LewisCowles]:
> It is a feature, not a bug, that SVG's with script tags can be uploaded,
and it should be incumbent on site owners and contributors to see that
authorized accessors of their installation of WordPress does not do such
things.
By that logic, Core should also allow users to upload PHP scripts.
The [https://wordpress.org/about/philosophy/ majority] of site admins
aren't going to be aware of SVG security issues, let alone know how to
protect against them.
If you want to take on the responsibility of handling the security issues,
then there's nothing stopping you from just enabling SVG uploads via a
simple filter.
[[br]]
> Bugs are softwae behaving in a way that is not expected. When I try to
upload an SVG file, I expect it to upload.
Users will also (rightfully) expect WordPress to be secure by default;
they won't expect that, in order to not get hacked, they have to learn
about esoteric security issues, and then go through their site disabling
things that are on by default.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list