=== Safe SVG === Contributors: 10up, enshrined, jeffpaul Tags: svg, sanitize, upload, sanitise, security, svg upload, image, vector, file, graphic, media, mime Requires at least: 5.7 Tested up to: 6.2 Stable tag: 2.1.1 Requires PHP: 7.4 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website == Description == Safe SVG is the best way to Allow SVG Uploads in WordPress! It gives you the ability to allow SVG uploads whilst making sure that they're sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views. #### Current Features * **Sanitised SVGs** - Don't open up security holes in your WordPress site by allowing uploads of unsanitised files. * **View SVGs in the Media Library** - Gone are the days of guessing which SVG is the correct one, we'll enable SVG previews in the WordPress media library. #### Features on the Roadmap * **SVGO Optimisation** - You'll have the option to run your SVGs through our SVGO server on upload to save you space. * **Choose Who Can Upload** - Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload. Initially a proof of concept for [#24251](https://core.trac.wordpress.org/ticket/24251). SVG Sanitization is done through the following library: [https://github.com/darylldoyle/svg-sanitizer](https://github.com/darylldoyle/svg-sanitizer). == Installation == Install through the WordPress directory or download, unzip and upload the files to your `/wp-content/plugins/` directory == Frequently Asked Questions == = Can we change the allowed attributes and tags? = Yes, this can be done using the `svg_allowed_attributes` and `svg_allowed_tags` filters. They take one argument that must be returned. See below for examples: add_filter( 'svg_allowed_attributes', function ( $attributes ) { // Do what you want here... // This should return an array so add your attributes to // to the $attributes array before returning it. E.G. $attributes[] = 'target'; // This would allow the target="" attribute. return $attributes; } ); add_filter( 'svg_allowed_tags', function ( $tags ) { // Do what you want here... // This should return an array so add your tags to // to the $tags array before returning it. E.G. $tags[] = 'use'; // This would allow the element. return $tags; } ); == Changelog == = 2.1.1 - 2023-04-05 = * **Changed:** Upgrade `@wordpress` npm package dependencies (props [@ggutenberg](https://github.com/ggutenberg), [@Sidsector9](https://github.com/Sidsector9) via [#108](https://github.com/10up/safe-svg/pull/108)). * **Changed:** Bump WordPress "tested up to" version 6.2 (props [@ggutenberg](https://github.com/ggutenberg), [@Sidsector9](https://github.com/Sidsector9) via [#108](https://github.com/10up/safe-svg/pull/108)). * **Changed:** Run our E2E tests on the zip generated by "Build release zip" action (props [@jayedul](https://github.com/jayedul), [@dkotter](https://github.com/dkotter) via [#106](https://github.com/10up/safe-svg/pull/106)). * **Fixed:** Only load our block CSS if a page has the SVG block in it and remove an extra slash in the CSS file path. Remove an unneeded JS block file (props [@dkotter](https://github.com/dkotter), [@freinbichler](https://github.com/freinbichler), [@IanDelMar](https://github.com/IanDelMar), [@ocean90](https://github.com/ocean90), [@Sidsector9](https://github.com/Sidsector9) via [#112](https://github.com/10up/safe-svg/pull/112)). * **Fixed:** Better error handling for environments that don't match our minimum PHP version (props [@dkotter](https://github.com/dkotter), [@ravinderk](https://github.com/ravinderk) via [#111](https://github.com/10up/safe-svg/pull/111)). = 2.1.0 - 2023-03-22 = * **Added:** An SVG Gutenberg Block (props [@faisal-alvi](https://github.com/faisal-alvi), [@Sidsector9](https://github.com/Sidsector9), [@cr0ybot](https://github.com/cr0ybot), [@darylldoyle](https://github.com/darylldoyle), [@cbirdsong](https://github.com/cbirdsong), [@jeffpaul](https://github.com/jeffpaul) via [#80](https://github.com/10up/safe-svg/pull/80)). * **Added:** "Build release zip" GitHub Action (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter), [@faisal-alvi](https://github.com/faisal-alvi) via [#87](https://github.com/10up/safe-svg/pull/87)). * **Changed:** Bump minimum PHP version from 7.0 to 7.4 (props [@iamdharmesh](https://github.com/iamdharmesh), [@peterwilsoncc](https://github.com/peterwilsoncc), [@vikrampm1](https://github.com/vikrampm1) via [#82](https://github.com/10up/safe-svg/pull/82)). * **Changed:** Bump minimum WordPress version from 4.7 to 5.7 (props [@iamdharmesh](https://github.com/iamdharmesh), [@peterwilsoncc](https://github.com/peterwilsoncc), [@vikrampm1](https://github.com/vikrampm1) via [#82](https://github.com/10up/safe-svg/pull/82)). * **Changed:** Bump WordPress "tested up to" version 6.1 (props [@iamdharmesh](https://github.com/iamdharmesh), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#85](https://github.com/10up/safe-svg/pull/85)). * **Security:** Updates the underlying sanitisation library to pull in a security fix (props [@darylldoyle](https://github.com/darylldoyle), [@faisal-alvi](https://github.com/faisal-alvi), [@Cyxow](https://github.com/Cyxow) via [#105](https://github.com/10up/safe-svg/pull/105)). * **Security:** Bump `got` from 10.7.0 to 11.8.5 (props [@dependabot](https://github.com/apps/dependabot) via [#83](https://github.com/10up/safe-svg/pull/83)). * **Security:** Bump `@wordpress/env from` 4.9.0 to 5.6.0 (props [@dependabot](https://github.com/apps/dependabot) via [#83](https://github.com/10up/safe-svg/pull/83)). * **Security:** Bump `simple-git` from 3.9.0 to 3.16.0 (props [@dependabot](https://github.com/apps/dependabot) via [#88](https://github.com/10up/safe-svg/pull/88), [#99](https://github.com/10up/safe-svg/pull/99)). * **Security:** Bump `loader-utils` from 2.0.2 to 2.0.4 (props [@dependabot](https://github.com/apps/dependabot) via [#92](https://github.com/10up/safe-svg/pull/92)). * **Security:** Bump `json5` from 1.0.1 to 1.0.2 (props [@dependabot](https://github.com/apps/dependabot) via [#91](https://github.com/10up/safe-svg/pull/91)). * **Security:** Bump `decode-uri-component` from 0.2.0 to 0.2.2 (props [@dependabot](https://github.com/apps/dependabot) via [#93](https://github.com/10up/safe-svg/pull/93)). * **Security:** Bump `markdown-it` from 12.0.4 to 12.3.2 (props [@dependabot](https://github.com/apps/dependabot), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#94](https://github.com/10up/safe-svg/pull/94)). * **Security:** Bump `@wordpress/scripts` from 19.2.4 to 25.1.0 (props [@dependabot](https://github.com/apps/dependabot), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#94](https://github.com/10up/safe-svg/pull/94)). * **Security:** Bump `http-cache-semantics` from 4.1.0 to 4.1.1 (props [@dependabot](https://github.com/apps/dependabot), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#101](https://github.com/10up/safe-svg/pull/101)). * **Security:** Bump `webpack` from 5.75.0 to 5.76.1 (props [@dependabot](https://github.com/apps/dependabot), [@faisal-alvi](https://github.com/faisal-alvi) via [#103](https://github.com/10up/safe-svg/pull/103)). * **Security:** Bump `svg-sanitizer` from 0.15.2 to 0.16.0 (props [@darylldoyle](https://github.com/darylldoyle), [@faisal-alvi](https://github.com/faisal-alvi), [@Cyxow](https://github.com/Cyxow) via [#105](https://github.com/10up/safe-svg/pull/105)). = 2.0.3 - 2022-09-01 = * **Added:** More robust PHP testing (props [@iamdharmesh](https://github.com/iamdharmesh), [@faisal-alvi](https://github.com/faisal-alvi) via [#71](https://github.com/10up/safe-svg/pull/71), [#73](https://github.com/10up/safe-svg/pull/73)). * **Fixed:** Addressed PHPCS errors (props [@iamdharmesh](https://github.com/iamdharmesh), [@faisal-alvi](https://github.com/faisal-alvi) via [#73](https://github.com/10up/safe-svg/pull/73)). = 2.0.2 - 2022-06-27 = * **Added:** Dependency security scanning (props [@jeffpaul](https://github.com/jeffpaul) via [#60](https://github.com/10up/safe-svg/pull/60)). * **Added:** End-to-end testing with Cypress (props [@iamdharmesh](https://github.com/iamdharmesh) via [#64](https://github.com/10up/safe-svg/pull/64)). * **Changed:** Bump WordPress version "tested up to" 6.0 (props [@dkotter](https://github.com/dkotter) via [#65](https://github.com/10up/Ad-Refresh-Control/issues/65)). * **Removed:** Redundant premium version upgrade link (props [@ocean90](https://github.com/ocean90), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#61](https://github.com/10up/safe-svg/pull/61)). * **Removed:** Unneeded admin CSS fix for featured images (props [@AdamWills](https://github.com/AdamWills), [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#63](https://github.com/10up/safe-svg/pull/63)). = 2.0.1 - 2022-04-19 = * **Changed:** Documentation updates (props [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc)). * **Fixed:** Ensure our height and width attributes are set before using them (props [@dkotter](https://github.com/dkotter), [@r8r](https://github.com/r8r), [@jerturowetz](https://github.com/jerturowetz), [@cadic](https://github.com/cadic)). * **Fixed:** Support for installing via packagist.org (props [@roborourke](https://github.com/roborourke), [@peterwilsoncc](https://github.com/peterwilsoncc)). = 2.0.0 - 2022-04-06 = * **Added:** New filter, `safe_svg_use_width_height_attributes`, that can be used to change the order of attributes we use to determine the SVG dimensions (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). * **Changed:** Documentation updates (props [@j-hoffmann](https://github.com/j-hoffmann), [@jeffpaul](https://github.com/jeffpaul), [@Zodiac1978](https://github.com/Zodiac1978)). * **Fixed:** Use the `viewBox` attributes first for image dimensions. Ensure we don't use image dimensions that end with percent signs (props [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). * **Fixed:** Make sure we use the full size SVG dimensions rather than the requested size, to avoid wrong sizes being used and duplicate height and width attributes (props [@dkotter](https://github.com/dkotter), [@cadic](https://github.com/cadic)). * **Fixed:** Ensure the `tmp_name` and `name` properties exist before we use them (props [@dkotter](https://github.com/dkotter), [@aksld](https://github.com/aksld)). = 1.9.10 - 2022-02-23 = **Note that this release bumps the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.** * **Changed:** Bump WordPress minimum version from 4.0 to 4.7 (props [@cadic](https://github.com/cadic)). * **Changed:** Bump PHP minimum version from 5.6 to 7.0 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul)). * **Changed:** Update `enshrined/svg-sanitize` from 0.13.3 to 0.15.2 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). * **Changed:** Bump WordPress version "tested up to" 5.9 (props [@BBerg10up](https://github.com/BBerg10up), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). * **Changed:** Updated library location and added a new build step (props [@darylldoyle](https://github.com/darylldoyle), [@dkotter](https://github.com/dkotter)). * **Changed:** Updated plugin assets and added docs and repo management workflows via GitHub Actions (props [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [@jeffpaul](https://github.com/jeffpaul)). * **Fixed:** Double slash being added in SVG file URL for newer uploads (props [@mehulkaklotar](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman)). * **Fixed:** Float value casting for SVGs when fetching width and height (props [@mehulkaklotar](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman)). * **Fixed:** Use calculated size for SVGs instead of using `false` (props [@dkotter](https://github.com/dkotter), [@darylldoyle](https://github.com/darylldoyle), [@fritteli](https://github.com/fritteli)). * **Fixed:** Add better file type checking when looking for SVG files (props [@davidhamann](https://github.com/davidhamann), [@dkotter](https://github.com/dkotter), [@darylldoyle](https://github.com/darylldoyle)). = 1.9.9 - 2020-05-07 = * **Fixed:** Issue where 100% width is accidentally converted to 100px width (props [@joehoyle](https://github.com/joehoyle)). = 1.9.8 - 2020-05-07 = * **Changed:** Underlying library update. = 1.9.7 - 2019-12-10 = * **Changed:** Underlying library update. = 1.9.6 - 2019-11-07 = * **Security:** Underlying library update that fixes a security issue. = 1.9.5 - 2019-11-04 = * **Security:** Underlying library update that fixes some security issues. = 1.9.4 - 2019-08-21 = * **Fixed:** Bug causing lots of error log output to do with `safe_svg::fix_direct_image_output()`. = 1.9.3 - 2019-02-19 = * **Fixed:** Bug causing 0 height and width SVGs. = 1.9.2 - 2019-02-14 = * **Fixed:** Warning about an Illegal string offset. * **Fixed:** Issue if something other than a WP_Post object is passed in via the `wp_get_attachment_image_attributes` filter. = 1.9.1 - 2019-01-29 = * **Fixed:** Warning that was being generated by a change made in 1.9.0. = 1.9.0 - 2019-01-03 = * **Changed:** If an image is the correct ratio, allow skipping of the crop popup when setting header/logo images with SVGs. = 1.8.1 - 2018-11-22 = * **Changed:** Don't let errors break upload if uploading an empty file * **Fixed:** Featured image display in Gutenberg. Props [@dmhendricks](https://github.com/dmhendricks) :) = 1.8.0 - 2018-11-04 = * **Added:** Pull SVG dimensions from the width/height or viewbox attributes of the SVG. * **Added:** role="img" attribute to SVGs. = 1.7.1 - 2018-10-01 = * **Changed:** Underlying lib and added new filters for filtering allowed tags and attributes. = 1.7.0 - 2018-10-01 = * **Added:** Allow devs to filter tags and attrs within WordPress. = 1.6.1 - 2018-03-17 = * **Changed:** Images will now use the size chosen when inserted into the page rather than default to 2000px everytime. = 1.6.0 - 2017-12-20 = * **Added:** Fairly big new feature - The library now allows `` elements as long as they don't reference external files! * **Fixed:** You can now also embed safe image types within the SVG and not have them stripped (PNG, GIF, JPG). = 1.5.3 - 2017-11-16 = * **Fixed:** 1.5.2 introduced an issue that can freeze the media library. This fixes that issue. Sorry! = 1.5.2 - 2017-11-15 = * **Changed:** Tested with 4.9.0. * **Fixed:** Issue with SVGs when regenerating media. = 1.5.1 - 2017-08-21 = * **Fixed:** PHP strict standards warning. = 1.5.0 - 2017-06-20 = * **Changed:** Library update. * **Changed:** role, aria- and data- attributes are now whitelisted to improve accessibility. = 1.4.5 - 2017-06-18 = * **Changed:** Library update. * **Fixed:** some issues with defining the size of an SVG. = 1.4.4 - 2017-06-07 = * **Fixed:** SVGs now display as featured images in the admin area. = 1.4.3 - 2017-03-06 = * **Added:** WordPress 4.7.3 Compatibility. * **Changed:** Expanded SVG previews in media library. = 1.4.2 - 2017-02-26 = * **Added:** Check / fix for when mb_* functions are not available. = 1.4.1 - 2017-02-23 = * **Changed:** Underlying library to allow attributes/tags in all case variations. = 1.4.0 - 2017-02-21 = * **Added:** Ability to preview SVG on both grid and list view in the wp-admin media area * **Changed:** Underlying library version. = 1.3.4 - 2017-02-20 = * **Fixed:** SVGZ uploads failing and not sanitising correctly. = 1.3.3 - 2017-02-15 = * **Changed:** Allow SVGZ uploads. = 1.3.2 - 2017-01-27 = * **Fixed:** Mime type issue in 4.7.1. Mad props to [@LewisCowles1986](https://github.com/LewisCowles1986). = 1.3.1 - 2016-12-01 = * **Changed:** Underlying library version. = 1.3.0 - 2016-10-10 = * **Changed:** Minify SVGs after cleaning so they can be loaded correctly through `file_get_contents`. = 1.2.0 - 2016-02-27 = * **Added:** Support for camel case attributes such as viewBox. = 1.1.1 - 2016-07-06 = * **Fixed:** Issue with empty svg elements self-closing. = 1.1.0 - 2015-07-04 = * **Added:** I18n. * **Added:** da, de ,en, es, fr, nl and ru translations. * **Fixed:** Issue with filename not being pulled over on failed uploads. = 1.0.0 - 2015-07-03 = * Initial Release. == Upgrade Notice == = 1.9.10 = * Important: bumped the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.