[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Thu Dec 5 23:47:11 UTC 2013
#24251: Reconsider SVG inclusion to get_allowed_mime_types
--------------------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: minor | Resolution:
Keywords: dev-feedback needs-patch |
--------------------------------------+------------------------------
Comment (by JustinSainton):
I'm likely the furthest thing from an expert on the subject of security,
especially with regards to XXE. But, I would think something along
[https://github.com/alister-/SVG-Sanitizer/blob/master/SvgSanitizer.php
these lines], checking for
[http://wiki.whatwg.org/wiki/Sanitization_rules#svg_Elements these
elements] on the whitelist, along with using
[http://www.php.net/manual/en/function.libxml-disable-entity-loader.php
libxml_disable_entity_loader(true);] would get us a lot closer to a more
secure solution. But smarter minds (nacin, markjaquith, _duck, mdwaffe)
should certainly prevail.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24251#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list