[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Thu Mar 16 23:59:26 UTC 2023
#24251: Reconsider SVG inclusion to get_allowed_mime_types
-------------------------------+------------------------------
Reporter: JustinSainton | Owner: (none)
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early 2nd-opinion | Focuses:
-------------------------------+------------------------------
Changes (by azaozz):
* keywords: early => early 2nd-opinion
Comment:
Replying to [comment:99 iandunn]:
> I think those are positive signals, but I still suspect that
[https://core.trac.wordpress.org/ticket/24251#comment:34 any PHP approach
is fundamentally insecure].
Same here. Unfortunately SVGs remain a security concern.
On the other hand perhaps WP may be "overthinking" this a little? Not sure
if SVGs are more insecure than JS. Yet any admin and editor (on single
site) can add any JS to any post. So perhaps uploading of SVGs may be
enabled but only by users with `unfiltered_html` capability and perhaps
with a nice, big warning in the UI?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:101>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list