Secure WordPress

Add SVG Support in WordPress Medias, Yes But No!

Blog Secure WordPress Add SVG Support in WordPress Medias, Yes But No!
1 comment

I recently noticed an urge to add support SVG files in the WordPress media.

Beautiful, very good idea, SVG is a very good format for the web and the performance for your site.

The way to add the support is simple and fast, here are two bad examples:

We must begin by asking why WordPress does not allow the upload of basic .svg, this beautiful picture of vector format.

Because if WordPress doesn’t manage it, there must be a reason, right? The answer is in the code that you gave: “xml“.

A ticket created in may 2013 exists for this.

SVG is an XML. The XML files are quite readable and a human can create its own, it is possible to create an SVG from a blank page.

The concern is that XML can contain many things that have nothing to do with the images, but the file will still be read by WordPress. A sample XML fault is known as XXE (see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing), or bomb nested entities or corruption of memory in order to make an overflow etc which is potentially possible in SVG, which is an XML.

More info here Active Content Injection with SVG Files

The solution is to clean the XML (thus SVG) DTD processing, XInclude, XSL, and XSI entities resolution. For this there is a library that allows you https://github.com/alnorris/SVG-Sanitizer when uploading to clean everything.

Luckily a plugin that does all that exists, it even manages miniature: Scalable Vector Graphics (SVG)

Well, now, you are secure, don’t use this small snippet, thanks.

1 comment

That’s a good argument for not including it in the core. but that does not make the snippets linked bad simply by adding a mime type. if by having an svg in the media gallery is by its nature not secure, then yes. Otherwise I could create and upload my own svg images without a problem. I have heard this argument before. People could upload svg files that could do X or X. This is true, but an argument to not include it in the core. I will say again if a security concer exists by nature of simply having a safe svg image within the WordPress gallery or its ability to upload one, I would totally agree. If this does exists please educate me, and I will remove the snippet from my site replaced with a link to yours!

With that said I could make the same argument for php as a plugin or within theme or functions.php. This however does not = should never do it!

Plus I also have a warning to users. so it’s unfair to say it’s bad by its very nature unless I’m in fact wrong about security of your own svg images. Am I?

Leave a Reply