Description
Safe SVG is the best way to Allow SVG Uploads in WordPress!
It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.
Current Features
- Sanitised SVGs – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.
- SVGO Optimisation – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code:
add_filter( 'safe_svg_optimizer_enabled', '__return_true' ); - View SVGs in the Media Library – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.
- Choose Who Can Upload – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.
Initially a proof of concept for #24251.
SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.
SVG Optimization is done through the following library: https://github.com/svg/svgo.
Blocks
This plugin provides 1 block.
- Safe SVG Display the SVG icon
Installation
Install through the WordPress directory or download, unzip and upload the files to your /wp-content/plugins/ directory
FAQ
-
Yes, this can be done using the
svg_allowed_attributesandsvg_allowed_tagsfilters.
They take one argument that must be returned. See below for examples:add_filter( 'svg_allowed_attributes', function ( $attributes ) { // Do what you want here... // This should return an array so add your attributes to // to the $attributes array before returning it. E.G. $attributes[] = 'target'; // This would allow the target="" attribute. return $attributes; } ); add_filter( 'svg_allowed_tags', function ( $tags ) { // Do what you want here... // This should return an array so add your tags to // to the $tags array before returning it. E.G. $tags[] = 'use'; // This would allow the <use> element. return $tags; } );
Reviews
November 14, 2024
1 reply
Thanks for creating this plugin!
July 31, 2024
I didn’t look into it but this plugin caused my homepage in translations to take about 30 seconds to load, instead of 1-2. We use WPML. It was back to normal the moment I deleted the plugin.
July 30, 2024
1 reply
Does what it says. 👍
January 10, 2024
5 replies
Hello everyone,the Plugin does not work for me, I refreshed, logged in and out, checked several different svg files but the uploading is still not possible.After having read so many positive reviews I think I am an exception. Thanks for any advice!
August 16, 2023
1 reply
I don’t understand why this isn’t in core wordpress. Plugin integrates flawlessly into the website and causes no issues.
July 15, 2023
1 reply
Does what is says. Quick and easy.
Contributors & Developers
“Safe SVG” is open source software. The following people have contributed to this plugin.
Contributors
“Safe SVG” has been translated into 26 locales. Thank you to the translators for their contributions.
Translate “Safe SVG” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
2.2.6 – 2024-08-28
- Changed: Bump WordPress “tested up to” version to 6.6 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
- Changed: Bump WordPress minimum from 5.7 to 6.4 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
- Security: Add svg sanitization on the
wp_handle_sideload_prefilterfilter (props @dkotter, @xknown, @iamdharmesh via GHSA-3vr7-86pg-hf4g). - Security: Bump
bracesfrom 3.0.2 to 3.0.3,pac-resolverfrom 7.0.0 to 7.0.1,socksfrom 2.7.1 to 2.8.3,wsfrom 7.5.9 to 7.5.10 and removeip(props @dependabot, @Sidsector9 via #206). - Security: Bump
axiosfrom 1.6.7 to 1.7.4 (props @dependabot, @faisal-alvi via #218).
2.2.5 – 2024-06-27
- Added: New filter,
safe_svg_current_user_can_upload, allowing more control over who can upload SVG files (props @dkotter, @iamdharmesh via #193). - Fixed: Fatal error when applying the
admin_post_thumbnail_htmlfilter with just two arguments (props @kmgalanakis, @dkotter, @liz1kiweno via #196). - Fixed: Prevent PHP fatal error when the value of the filtered block categories is not an array (props @kmgalanakis, @dkotter, @cguidog via #200).
- Fixed: Handled PHP warning when the
$image_metais not an array (props @faisal-alvi, @dkotter, @drazenbebic, @kirtangajjar via #203).
2.2.4 – 2024-03-28
- Changed: Upgrade the
download-artifactfrom v3 to v4 (props @iamdharmesh, @jeffpaul via #181). - Changed: Replaced
lee-dohm/no-responsewithactions/staleto help with closing no-response/stale issues (props @jeffpaul, @dkotter via #183). - Fixed: Ensure the svg file can be loaded before we try accessing it’s attributes (props @dkotter, @metashield-ie, @ocean90, @darylldoyle, @faisal-alvi via #186).
- Fixed: Ensure we don’t throw JS errors in the Classic Editor when the optimizer feature is turned on (props @dkotter, @turtlepod, @faisal-alvi via #187).
- Security: Bump
webpack-dev-middlewarefrom 5.3.3 to 5.3.4 (props @dependabot, @dkotter via #185). - Security: Bump
expressfrom 4.18.2 to 4.19.2 (props @dependabot, @dkotter via #188).
2.2.3 – 2024-03-20
- Added: Support for the WordPress.org plugin preview (props @dkotter, @jeffpaul via #167).
- Changed: Bump WordPress “tested up to” version 6.5 (props @dkotter, @jeffpaul via #180).
- Changed: Clean up NPM dependencies and update node to v20 (props @Sidsector9, @dkotter via #172).
- Fixed: Refactor the
svg_dimensionsfunction to be more performant (props @sksaju, @cjyabraham, @bmarshall511, @Hercilio1, @darylldoyle via #154, #174). - Fixed: Address fatal JS error when optimization is enabled and an item is published without blocks (props @psorensen, @tictag, @dkotter via #173).
- Security: Bump
axiosfrom 0.25.0 to 1.6.2 and@wordpress/scriptsfrom 26.0.0 to 26.18.0 (props @dependabot, @ravinderk via #166). - Security: Bump
follow-redirectsfrom 1.15.3 to 1.15.6 andipfrom 1.1.8 to 1.1.9 (props @dependabot, @dkotter via #169, #177).
2.2.2 – 2023-11-21
- Changed: Bump WordPress “tested up to” version 6.4 (props @qasumitbagthariya, @jeffpaul via #162, #163).
- Fixed: Ensure CSS applies properly to the SVG Icon block when added via
theme.json(props @tobeycodes, @dkotter via #161).
2.2.1 – 2023-10-23
- Changed: Update to
apiVersion3 for our SVG Icon block (props @fabiankaegy, @ravinderk, @jeffpaul, @dkotter via #133). - Fixed: Address an error due to the SVG Icon block using the
fill-ruleattribute (props @zamanq, @jeffpaul, @iamdharmesh via #152). - Security: Bump
postcssfrom 8.4.20 to 8.4.31 (props @dependabot, @faisal-alvi via #155). - Security: Bump
@cypress/requestfrom 2.88.12 to 3.0.1 andcypressfrom 10.11.0 to 13.3.0 (props @dependabot, @ravinderk via #156). - Security: Bump
@babel/traversefrom 7.20.12 to 7.23.2 (props @dependabot, @iamdharmesh via #158).
2.2.0 – 2023-08-21
- Added: New settings that give the ability to select which user roles can upload SVG files (props @dhanendran, @csloisel, @faisal-alvi, @dkotter via #76).
- Added: SVG optimization during upload via SVGO. Feature is disabled by default but can be enabled using the
safe_svg_optimizer_enabledfilter (props @gsarig, @peterwilsoncc, @Sidsector9, @darylldoyle, @faisal-alvi, @dkotter, @ravinderk via #79, #145). - Added: Spacing and color controls added to SVG block (props @bmarshall511, @iamdharmesh via #135).
- Added: Mochawesome reporter added for Cypress test report (props @jayedul, @peterwilsoncc via #124).
- Changed: Update Support Level from
ActivetoStable(props @Sidsector9, @iamdharmesh via #100). - Changed: Update name of SVG block from Safe SVG Icon to Inline SVG (props @bmarshall511, @iamdharmesh via #135).
- Changed: Bump WordPress “tested up to” version 6.3 (props @dkotter, @jeffpaul via #144).
- Changed: Update the Dependency Review GitHub Action (props @jeffpaul, @Sidsector9 via #128).
- Fixed: Add namespace to the
class_existscheck (props @szepeviktor, @iamdharmesh via #120). - Fixed: Ensure Sanitizer class is properly imported (props @szepeviktor, @iamdharmesh via #121).
- Fixed: Remove an unneeded global (props @szepeviktor, @iamdharmesh via #122).
- Fixed: Use absolute path in require (props @szepeviktor, @iamdharmesh via #123).
- Fixed: Ensure custom classname added to SVG block is output on the front-end (props @bmarshall511, @Sidsector9, @dkotter via #130).
- Fixed: Ensure
SimpleXMLexists before using it (props @sdmtt, @faisal-alvi via #140). - Fixed: Fix markdown issues in the readme (props @szepeviktor, @iamdharmesh via #119).
- Security: Bump
semverfrom 5.7.1 to 5.7.2 (props @dependabot via #134). - Security: Bump
word-wrapfrom 1.2.3 to 1.2.5 (props @dependabot via #141). - Security: Bump
tough-cookiefrom 4.1.2 to 4.1.3 and@cypress/requestfrom 2.88.10 to 2.88.12 (props @dependabot via #146).