[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Thu May 2 20:17:29 UTC 2013
#24251: Reconsider SVG inclusion to get_allowed_mime_types
------------------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: minor | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+------------------------------
Comment (by JustinSainton):
Indeed - there are extensive security concerns to be aware of (Remote
execution, unsafe redirects, etc.) - but these are not unsolveable issues.
https://github.com/clones/html5lib/blob/master/python/src/html5lib/sanitizer.py
takes an interesting approach.
I've seen other systems do the equivalent of applying a type of
wp_kses_post() to the content of the SVG file.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24251#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list