[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Mon Jul 6 22:54:52 UTC 2015


#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+-----------------------
 Reporter:  JustinSainton  |       Owner:
     Type:  enhancement    |      Status:  reopened
 Priority:  normal         |   Milestone:
Component:  Upload         |     Version:
 Severity:  normal         |  Resolution:
 Keywords:  early          |     Focuses:
---------------------------+-----------------------

Comment (by chriscct7):

 Note the library in comment:20 is for proof of concept. As it's 5.3+, its
 not usable in core. Further, it's not a mature (in terms of development)
 or complete sanitizer.

 If WordPress were to ever allow SVGs, the sanitize library would not only
 need to work well, it would also need to be thoroughly tested, in large
 scale production environments. Literally by design, SVGs are designed to
 be insecure. Just as we continue to find new MySQL vulnerabilities (not
 with WordPress specifically but with MySQL in general), SVGs continue to
 have entirely new vectors found.

 The second something like SVGs were to get into WordPress core, our
 library would be scrutinized, poked and prodded for security holes.

 Also there would be a significant presence to using a library that another
 large scale company uses in production, thus guaranteeing it's current
 development but also removing core team from having to maintain yet
 another library, like for example the Dropbox zxcvbn library.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:41>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list