Support » Plugin: Scalable Vector Graphics (SVG) » Great attempt, but can't recommend

  • Robert Neu

    (@fatmedia)


    G Money Debtor

    Updated Review
    I feel bad giving this a negative rating, but the sanitization method in use can give a false sense of security. It’s safer than uploading the files raw, but can’t really be considered safe. I stopped using it after reading more about how challenging it is to truly sanitize SVG files.

    Hopefully a more robust library makes its way into WordPress core in the future and this won’t be an issue anymore!

    —-
    Original Review:

    There are a number of plugins in the repository to handle this, but as far as I can tell this is the only one which will correctly sanitize SVG files. This is absolutely essential and therefore this is the only SVG plugin worth using. Great work!

Viewing 4 replies - 1 through 4 (of 4 total)
  • “correctly sanitize SVG files” is probably overly optimistic.

    The library that’s being used here (SVG Sanitizer) is old and unmaintained, doesn’t have a large user base, doesn’t have unit tests, and probably hasn’t been audited by an expert.

    SVG sanitization is extremely difficult, and it’s very unlikely that SVG Sanitizer does an adequate job.

    DomPurify is probably the only library that anyone could use with confidence, but it’s client-side, so not applicable for this kind of use case. (One of the reasons it’s client-side is because comprehensive SVG sanitization in PHP is fundamentally impossible, because you need a real browser engine to actually test for all of the attack vectors.)

    There’s a new PHP library inspired by DomPurify that looks promising. It’s probably much better than SVG Sanitizer, but I wouldn’t use it on any sites where security is mission-critical until it gets more testing.

    Robert Neu

    (@fatmedia)

    G Money Debtor

    That’s a good point. I stopped using this after reading more about the issues with the sanitization method being used.

    I did see that newer SVG sanitization library based on DomPurify and it does look promising. They also have a WordPress plugin, but it circumvents the WordPress filesystem so I dunno if I’d use that one either…

    Plugin Author Sterling Hamilton

    (@sterlo)

    Hey guys!

    After discussions with a few people in the space — probably going to remove the sanitization altogether — my plugin makes them work and shouldn’t take place of security overall.

    Thanks for the review!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Great attempt, but can't recommend’ is closed to new replies.