[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Fri Jul 3 22:09:34 UTC 2015
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+-------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Upload | Version:
Severity: normal | Resolution: maybelater
Keywords: | Focuses:
---------------------------+-------------------------
Comment (by enshrined):
I've just put up a plugin as a sort of proof of concept of how we can
securely allow SVG uploads: https://wordpress.org/plugins/safe-svg/
This is based upon the svg-sanitizer library I've been working on (see
earlier comments), which at the moment seems to be doing pretty well at
sanitizing attack vectors including XXE and XSS attacks in SVG files.
It hooks into `wp_handle_upload_prefilter` and sanitizes the data before
being written to `uploads`. If the file cannot be sanitized, usually due
to a badly formatted XML file, it will return an error to the user saying
so and not upload the file.
If people are still interested in this issue and getting it fixed, testing
this plugin and giving me any feedback you have would be amazing!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:39>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list