[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Mon Jul 6 22:54:52 UTC 2015
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+-----------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+-----------------------
Comment (by chriscct7):
Note the library in comment:20 is for proof of concept. As it's 5.3+, its
not usable in core. Further, it's not a mature (in terms of development)
or complete sanitizer.
If WordPress were to ever allow SVGs, the sanitize library would not only
need to work well, it would also need to be thoroughly tested, in large
scale production environments. Literally by design, SVGs are designed to
be insecure. Just as we continue to find new MySQL vulnerabilities (not
with WordPress specifically but with MySQL in general), SVGs continue to
have entirely new vectors found.
The second something like SVGs were to get into WordPress core, our
library would be scrutinized, poked and prodded for security holes.
Also there would be a significant presence to using a library that another
large scale company uses in production, thus guaranteeing it's current
development but also removing core team from having to maintain yet
another library, like for example the Dropbox zxcvbn library.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:41>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list