I recently noticed an urge to add support SVG files in the WordPress media.
Beautiful, very good idea, SVG is a very good format for the web and the performance for your site.
The way to add the support is simple and fast, here are two bad examples:
- http://wpchannel.com/autoriser-envoi-fichiers-svg-wordpress/ (fr)
- http://wpsnipp.com/index.php/functions-php/add-support-svg-inside-wordpress-media-uploader/
We must begin by asking why WordPress does not allow the upload of basic .svg, this beautiful picture of vector format.
Because if WordPress doesn’t manage it, there must be a reason, right? The answer is in the code that you gave: “xml“.
A ticket created in may 2013 exists for this.
SVG is an XML. The XML files are quite readable and a human can create its own, it is possible to create an SVG from a blank page.
The concern is that XML can contain many things that have nothing to do with the images, but the file will still be read by WordPress. A sample XML fault is known as XXE (see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing), or bomb nested entities or corruption of memory in order to make an overflow etc which is potentially possible in SVG, which is an XML.
More info here Active Content Injection with SVG Files
The solution is to clean the XML (thus SVG) DTD processing, XInclude, XSL, and XSI entities resolution. For this there is a library that allows you https://github.com/alnorris/SVG-Sanitizer when uploading to clean everything.
Luckily a plugin that does all that exists: Safe SVG
Well, now, you are secure, don’t use this small snippet, thanks.