[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Wed Jan 9 15:51:55 UTC 2019
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
Reporter: JustinSainton | Owner: (none)
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+------------------------------
Comment (by shamank):
I didn't read the entire thread, but I can understand the reason of not
allowing svg uploads because of code injection. Now, vectors are the
future and everybody knows and understands the importance of using them in
their websites. Wouldn't be a solution to only allow admin uploads? I
mean, in the admin you allow even file editing, custom scripts, etc. You
can also upload and install themes and plugins from untrusted sources, so
if security is so relevant to not allow specific file formats, shouldn't
you also block all type of untrusted sources? If a build a theme/plugin
and I use svg images inside, will them be also blocked and not executed in
user/admin view?
I'm here because I can't use svg files in my theme anymore (something
related to latest versions of Avada theme), even using an svg support
plugin. So the only solution that worked was this in wp-config.php:
**define('ALLOW_UNFILTERED_UPLOADS', true);**
Do you think this is The way to handle this? Forcing users to allow
everything just because of a forbidden (and widely used format across
internet) file type? Do you think you lead me to have a more secure
website after this?
**PLEASE**, in the name of future, find a solution to calm down the
paranoia on behalf of the common sense.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:80>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list