[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Thu Sep 22 09:38:58 UTC 2016
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+------------------------------
Comment (by enshrined):
Replying to [comment:70 bjornjohansen]:
> A huge issue is that while users with the capability of inserting
scripts will (hopefully) be aware that scripts may be malicious, and only
insert scripts from trusted sources. They are in many (most?) cases not
aware that SVGs are not images at all, but XML applications. Believing
they are just images, they might not consider the source at all. SVG is
the perfect Trojan Horse.
Yep, I think this is the big issue with SVGs. People look at them as
images because in a lot of cases they're used to create images, especially
on the web.
Also, any sanitisation library will have to decide how tolerant to be,
it's extremely hard to work out if embedded script is malicious or not
from the server side and therefore you'd probably end up having to remove
all JS which in turn, takes a way a huge benefit of SVGs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:71>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list