[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Thu Sep 22 09:13:18 UTC 2016
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+------------------------------
Comment (by bjornjohansen):
Replying to [comment:69 enshrined]:
> You could maybe go the same way as allowing users with the
`unfiltered_html` capability to upload SVG's but still I'd be cautious.
A huge issue is that while users with the capability of inserting scripts
will (hopefully) be aware that scripts may be malicious, and only insert
scripts from trusted sources. They are in many (most?) cases not aware
that SVGs are not images at all, but XML applications. Believing they are
just images, they might not consider the source at all. SVG is the perfect
Trojan Horse.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:70>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list