[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Tue Jul 7 03:33:04 UTC 2015
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+-----------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+-----------------------
Comment (by chriscct7):
Replying to [comment:41 chriscct7]:
> Note the library in comment:20 is for proof of concept. As it's 5.3+,
its not usable in core. Further, it's not a mature (in terms of
development) or complete sanitizer.
>
> If WordPress were to ever allow SVGs, the sanitize library would not
only need to work well, it would also need to be thoroughly tested, in
large scale production environments. Literally by design, SVGs are
designed to be insecure. Just as we continue to find new MySQL
vulnerabilities (not with WordPress specifically but with MySQL in
general), SVGs continue to have entirely new vectors found.
>
> The second something like SVGs were to get into WordPress core, our
library would be scrutinized, poked and prodded for security holes.
>
> Also there would be a very significant preference to using a library
that another large scale company uses in production, thus guaranteeing
it's current development but also removing core team from having to
maintain yet another library, like for example the Dropbox zxcvbn library.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:43>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list