[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Sat Feb 27 21:41:21 UTC 2016

#24251: Reconsider SVG inclusion to get_allowed_mime_types
 Reporter:  JustinSainton  |       Owner:
     Type:  enhancement    |      Status:  reopened
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Upload         |     Version:
 Severity:  normal         |  Resolution:
 Keywords:  early          |     Focuses:

Comment (by LewisCowles):

 @DrewAPicture none of what I have said is hyperbole; it is all documented
 facts, references to easy to find information with anyone using this TRAC
 (which I have assumed they know how to use), and the wider internet.

 PHP 5.2's last release was announced on January 6, 2011
 http://nl1.php.net/archive/2011.php#id2011-01-06-1, that is over five
 years ago! Scrolling up two entries on that link demonstrates the product
 was EOL in 2011 as far as PHP were concerned. Any stack running that is so
 old, it will likely also be vulnerable at the server level to a host of
 vulnerabilities; many much more serious than a dodgy SVG file. The
 language you use would suppose this is akin to pretending santa exists to
 kids; but it's not, it's much more like pretending all strangers are nice
 people a child should trust. Sadly times change; how you educate, and how
 much you educate users need to change too.

 As I'm much less interested in opinions than facts, and keen not to be
 drawn into some cyclical nonsense about tone of conversation; please check
 at PHP.net, pay attention to release dates and the change log from 5.2.8
 (given by someone else in this thread), until the present 5.6.x version
 (or 5.7.x version when that becomes available).
 http://php.net/ChangeLog-5.php#5.2.9 . The technically minded will notice
 many problems ranging from the annoying to unacceptable.

 I would like to apologize to anyone who has found some of what I ave said
 "insulting". Please be assured my interest in contributing to your project
 with code is no-longer existent. My only contributions to any thread which
 I am subscribed to now, is to ensure that it presents a technically
 accurate account of decisions, which may well highlight problems with this
 project, but should overall help to educate. I think there are only a few
 threads, but feel free to ban me if you wish to enforce all users operate
 sheerly on opinion and trust, rather than facts.

 It is terrible to not be able to feel differently; it is terrible to have
 to use these words; But to call misrepresented facts, or exaggerations,
 and non-standard practices negligent is not an insult. What it does
 represent is the opinion of a professional (not just one), who has worked
 in software for over 13 years (me), based upon the current, and past code-
 base of this project; some of it's own official announcements; based upon
 some of the advice I see contributors, including your last post, giving to
 an audience described in your own words as "a largely non-technical user
 base, all of whom place their trust in the project leaders". It's
 unacceptable, much more so than colourful use of language.

 It's this very aspect that has me both concerned and professionally
 shocked. It's this that you probably think is rude; but I have to say,
 disagreeing with someone, or believing their work is negligent based upon
 it's failed conformance to established industry practices is not rude or
 insulting, unless untrue or misrepresented. There have been professional
 talks at PHP community events for years encouraging people to use more
 recent versions of PHP runtime software; it's a core competency in
 operations and server-admin to ensure that updates and especially patches
 are applied, and that software is upgraded when needed; and a post from
 IRCMaxwell; a PHP core contributor including the same sentiment I am
 expressing on PHP can be found here http://blog.ircmaxell.com/2014/12/on-

 I think it would be far more rude for me to congratulate, jeer, or promote
 ignorance to my peers of what I understand to be widely understood best
 practices, and whilst I do not expect them to understand much of the
 technical expertise I posses; especially not those that are "largely non-
 technical". To suggest that it's unreasonable to allow a file-type > 75%
 of the internet can access without restriction, that the primary server OS
 linux uses, that is present in many themes as a potential for representing
 iconography is much more hyperbolic. (For this fact, I'm using the
 WordPress official we are on 25% of the web figures, Fontawesome.io as an
 icon-font example).

 Worse still to suggest SVG, unlike other files deserves excessive scrutiny
 (I'd suggest you take a look at MediaWiki & OWASP who both use and support
 SVG on systems much more open than WordPress standard installs) is to
 misrepresent the understood and monitored state of the market. It's like
 the tobacco industry telling people that it's healthy to smoke their
 brand, but not competitors, it's simply untrue.

 Instead I would suggest that you are using the fact I am presenting
 uncomfortable information to suggest I am insulting you or any other
 specific person. I am not, and if anyone thinks I am, then again I
 apologize to them. I would like to point out that I cannot do anything
 about how they interpret a stream of facts and suggestions, all to benefit
 a largely non-technical user-base to enhance their project, and re-iterate
 that my comments are not to insult, deride, or mislead through hyperbole
 or emotive language. I simply do not believe the responses received
 against SVG in core since the initial comment; are of the same quality and
 effort, or technical competence that the pro-SVG arguments demonstrate.

Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:58>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list