darylldoyle/safe-svg
Composer 安装命令:
composer require darylldoyle/safe-svg
包简介
Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website
README 文档
README
Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.
Overview
Safe SVG is the best way to Allow SVG Uploads in WordPress!
It gives you the ability to allow SVG uploads whilst making sure that they're sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.
Current Features
- Sanitised SVGs - Don't open up security holes in your WordPress site by allowing uploads of unsanitised files.
- SVGO Optimisation - Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code:
add_filter( 'safe_svg_optimizer_enabled', '__return_true' ); - View SVGs in the Media Library - Gone are the days of guessing which SVG is the correct one, we'll enable SVG previews in the WordPress media library.
- Choose Who Can Upload - Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.
Initially a proof of concept for #24251.
SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.
SVG Optimization is done through the following library: https://github.com/svg/svgo.
Technical: Upload Path Security
WordPress’s _wp_handle_upload( $file, $action ) function allows any $action value, which determines the filter hook name: {$action}_prefilter. Safe SVG hooks common actions like wp_handle_upload and wp_handle_sideload, but cannot hook arbitrary custom actions defined by third-party code. Since upload actions are unbounded and MIME allowances are global, we cannot guarantee sanitization coverage across all possible upload paths.
Requirements
- PHP 7.4+
- WordPress 6.6+
Installation
Install through the WordPress directory or download, unzip and upload the files to your /wp-content/plugins/ directory.
Frequently Asked Questions
Can we change the allowed attributes and tags?
Yes, this can be done using the svg_allowed_attributes and svg_allowed_tags filters.
They take one argument that must be returned. See below for examples:
add_filter( 'svg_allowed_attributes', function ( $attributes ) { // Do what you want here... // This should return an array so add your attributes to // to the $attributes array before returning it. E.G. $attributes[] = 'target'; // This would allow the target="" attribute. return $attributes; } ); add_filter( 'svg_allowed_tags', function ( $tags ) { // Do what you want here... // This should return an array so add your tags to // to the $tags array before returning it. E.G. $tags[] = 'use'; // This would allow the <use> element. return $tags; } );
Why doesn't Safe SVG globally enable SVG uploads?
Safe SVG only allows SVGs through upload paths it can actively sanitize. While most WordPress uploads use standard functions like wp_handle_upload() (which Safe SVG hooks), plugins and themes can create custom upload paths by calling WordPress's underlying _wp_handle_upload() function with arbitrary action parameters.
Globally enabling the image/svg+xml MIME type would allow SVGs through all upload paths—including custom ones Safe SVG cannot intercept and sanitize. This would create security vulnerabilities where unsanitized SVGs containing malicious scripts could be uploaded.
This is a deliberate design decision: Safe SVG prioritizes guaranteed sanitization over broad compatibility. SVGs are only allowed when we can ensure they're safe.
Where do I report security bugs found in this plugin?
Please report security bugs found in the source code of the Safe SVG plugin through the Patchstack Vulnerability Disclosure Program. The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
Support Level
Stable: 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.
Changelog
A complete listing of all notable changes to Safe SVG are documented in CHANGELOG.md.
Contributing
Please read CODE_OF_CONDUCT.md for details on our code of conduct, CONTRIBUTING.md for details on the process for submitting pull requests to us, and CREDITS.md for a listing of maintainers of, contributors to, and libraries used by Safe SVG.
Like what you see?
darylldoyle/safe-svg 适用场景与选型建议
darylldoyle/safe-svg 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 309.32k 次下载、GitHub Stars 达 333, 最近一次更新时间为 2019 年 08 月 21 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 darylldoyle/safe-svg 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 darylldoyle/safe-svg 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 309.32k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 334
- 点击次数: 19
- 依赖项目数: 2
- 推荐数: 0
其他信息
- 授权协议: GPL-2.0-or-later
- 更新时间: 2019-08-21

