[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Wed Sep 21 21:32:05 UTC 2016 

#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
 Reporter:  JustinSainton  |       Owner:
     Type:  enhancement    |      Status:  reopened
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Upload         |     Version:
 Severity:  normal         |  Resolution:
 Keywords:  early          |     Focuses:
---------------------------+------------------------------

Comment (by enshrined):

 > The challenge here is that while we can, in theory, do a lot to sanitize
 the SVG as it enters the WordPress media library, we     have no control
 over what happens to the SVG once it's presented on the front end because
 a theme or plugin can alter that    behavior on the fly.

 There are ways that we can attempt to sanitise on the client side.
 Libraries such as DOMPurify [https://github.com/cure53/DOMPurify] by Mario
 Heiderich are well maintained and tested and could quite easily be
 enqueued along with other WordPress JS files.

 I think the real issue with SVGs is not that we can't protect the user
 from malicious scripts running as we can't stop malicious JS running
 either, but more the fact that we can't protect the server from being
 attacked.

 As you say, SVG isn't an image file it's a standalone XML application and
 a number of server side XML attacks are well documented, but as of yet
 there's no surefire way of sanitising them server side that I've seen.
 Unless this issue can be cracked, I see no way WordPress can ever allow
 SVG uploads by default.

 You could maybe go the same way as allowing users with the
 `unfiltered_html` capability to upload SVG's but still I'd be cautious. If
 someone gets malicious unfiltered html on the page you may have some XSS
 attacks etc but if someone gets a malicious unsanitised SVG uploaded you
 could end up with XXE attacks or XML bombs affecting the server.

 I honestly don't think this ticket can go much further until someone comes
 up with a well maintained and tested SVG sanitisation library.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:69>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list