easy upload additional file types (SVG, KML, GPX, EMF, WMF, AI, CDR, etc.)

  1. ChrisFo


    Please integrate an easy way (without plugins or theme hacking) to upload additional useful filetypes like:

    See also here: http://wordpress.org/support/topic/svg-upload-not-allowed?replies=9

    Posted: 8 years ago #
  2. Diogo15


    Or at least some function to add custom formats..

    Posted: 8 years ago #
  3. orpheus_emerges

    I was seduced into installing WP because there was an 'svg plugin.'

    I cannot get it to work, and as I inspect the code it appears to want to install an Adobe plugin that Adobe has long discontinued support for, since all 'modern' browsers natively support svg.

    Why can't WordPress allow svg support? The browsers do, so why can't WP let the svg in?

    Posted: 8 years ago #
  4. There are multiple plugins actually: http://wordpress.org/extend/plugins/tags/svg

    Also you can use a plugin to add your own allowable upload types, and thus include them normally.

    If you need further support, please post in http://wordpress.org/support/

    Posted: 8 years ago #
  5. orpheus_emerges

    lpstenu, thanks for taking the time to reply and offer a suggestion. However, as ChrisFo originally posted, the only real solution to this is to allow native display of the svg file type.

    This is a discussion that has reached its time: The wikis have long allowed for native display of svg.

    All of the major CMS packages are engaging in their own dialogs about why or why not svg is not feasible. I can't see the sense of it: if almost all of the 'modern' browsers support it natively, then what are we waiting for?

    Posted: 8 years ago #
  6. gingerling

    I aggree - it is crazy that WP dosn't nativley support SVG. SVG files are an open standard, using them is important in Free Culture design. I can't belive I am actually having to find a work arround or a blugin for something this basic!

    Posted: 6 years ago #
  7. Using a plugin to achieve functionality beyond the norm of a tool is exactly what "Free Culture" software is about :) You're not locked in, you're allowed to expand.

    For the current discussion on the possible inclusion of SVG, you can read https://core.trac.wordpress.org/ticket/24251

    The primary issue is security. An SVG file is simply an XML file, which means uploading them can be terribly dangerous and we don't yet have a way to sanitize them enough.

    Posted: 6 years ago #
  8. orpheus_emerges


    Is this plugin that S.H. so graciously provided us with, at my request, promoting a security risk:


    I have less than no knowledge about the various web code security issues.

    However, although I have yet to actually make use of S.H.'s generous gift (I tested it and it worked as I need it to--no idea about security), his providing that plugin allowed me to breath easy and plant my seeds with WP, rather than continue wandering around the universe of endless CMS and wiki-niki's...

    And, has S.H.'s plugin been evaluated or are you and the code/security volunteers (my endless thanks) aware that that plugin has been in existence here for more than two years?

    Posted: 6 years ago #
  9. The plugin is fine to use if you're aware of the issues native to SVG and that we don't YET scan for everything.

    Coincidentally? I'm on the Plugin review team here :) I review many of the new plugins before they're allowed to be hosted, and I can firmly say that the plugin you linked to? Is, in and of itself, totally secure.

    It's SVGs themselves that's a security hole.

    Posted: 6 years ago #
  10. orpheus_emerges


    I greatly appreciate your reply and I saved the content of the links that were reported in the WP Core #24251 thread.

    As I am still a walking blind man in terms this type of coding, I'd appreciate if you could expand upon my major concern:

    If we use S.H.'s SVG plugin, and use it in the default manner, such as uploading a file from our own system (using the WP "Add Media" button in the editor), and a file which contains only code to generate _line_ graphics, without adding any javascript, are we still putting out into the web a potential security issue for our users, presuming we use something like the BulletProof Security plugin to protect our own WP install, so that someone can't change the code in our file(s)?

    I'm trying to get a focus on the _direction_ of the security concern. Again, this type of coding is still mostly a mystery to me.

    What I'm translating from what you have posted, and from the material I downloaded that was referenced in your WP Core thread, is that we all need to be primarily concerned with what we _save_ from web pages we download into our browser: Am I interpreting that correctly?

    Also, I have copied some of the concluding text from the "svg phone call" pdf linked to:

    ● More difficult than one might assume
    ● No existing filter libs
    ● No good documentation
    ● XSS vectors are hard to comprehend
    ● New vectors coming up weekly
    ● SVG files should not be perceived as images
    ● Allowing SVG for upload == allowing HTML for upload
    ● SVG can embed, link or reference any kind of content
    over cross domain borders
    ● SVG provides new ways of payload obfuscation


    What I'm confused about in that is his statement "Allowing SVG for upload == allowing HTML for upload":

    How does that relate to what we are discussing?

    I apologize for the lengthy post, but I think that if you can respond to this, other users beside myself could benefit from this.

    SVG is such an attractive technology.

    Posted: 6 years ago #

RSS feed for this topic

Reply »

You must log in to post.

  • Rating

    11 Votes
  • Status

    This idea is under consideration