[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Fri Mar 17 03:01:01 UTC 2023 

#24251: Reconsider SVG inclusion to get_allowed_mime_types
-------------------------------+------------------------------
 Reporter:  JustinSainton      |       Owner:  (none)
     Type:  enhancement        |      Status:  reopened
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  Upload             |     Version:
 Severity:  normal             |  Resolution:
 Keywords:  early 2nd-opinion  |     Focuses:
-------------------------------+------------------------------

Comment (by blobfolio):

 Replying to [comment:101 azaozz]:
 > Not sure if SVGs are more insecure than JS.

 SVGs can certainly leverage Javascript for fun and profit, but they don't
 need to. They can embed arbitrary objects that target specific software
 vulnerabilities or misconfigurations, load external entities, launch
 applications on a user's computer, execute arbitrary code in server-side
 languages (ASP or PHP for example), crash browsers, or simply break page
 layouts.

 The risks are similar to any sort of unfiltered copy-and-paste-random-
 code-here functionality, except that most people don't even realize that
 SVGs are ''code''. By all appearances, they're just another way to store
 cute cat pictures, and people love uploading random cat pictures to their
 blogs [citation needed].

 Once people start uploading random SVGs to their web sites, anything can
 happen, particularly if they're inlined into the page markup, or worse,
 `<?php include(...)?>`ed. (Browsers have gotten pretty good at neutering
 SVGs when they're called from `<img>` tags, at least.)

 To be clear, I would love to see official SVG support in WordPress, but
 not until KSES is made XML-aware, and basic SVG-specific validation is in
 place. WordPress would likely need to require additional PHP modules like
 DOMDocument for that, though, which may leave this dead in the water.

 But in the meantime it is easy to enable SVG upload support on a site-by-
 site basis as needed. All it takes is a single filter call or third-party
 plugin.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:103>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list