Support » Plugin: Safe SVG » filter working code example + disallowed risk reference

  • Resolved Yggy


    We use Safe SVG to make svg possible in a site with <object> tags, currently in development on our internal network.
    <object data="/wp-content/uploads/2019/07/wheel.svg"></object>

    Our svg uses anchor links to other parts of our site, Illustrator default uses xlink:href tags.
    <a xlink:href="#anchor">
    When those links are used, the object is seen as an iframe and will load the content of the link inside the object space.
    To resolve that I edited the svg after output of Illustrator.
    Changed xlink:href to href (since it will be deprecated in future version of svg) and added target="_top" to open the link outside of the object. But the target attribute gets sanitized out of the svg by Safe SVG.

    According to your faq, you can allow attributes and tags with svg_allowed_attributes and svg_allowed_tags filters.
    I know the code has to be put inside the functions.php of the used (child)theme, but I have no clue what to code in the // Do what you want here... part.

    Currently I edited /wp-content/plugins/safe-svg/lib/vendor/enshrined/svg-sanitize/src/data/AllowedAttributes.php to allow the target attribute due to lack of knowledge of using the filter. Not wise with future version updates, but it works for the moment.

    My questions:

    • Can you perhaps show a complete working code example of allowing the target attribute?
    • Do you perhaps have a reference of the disallowed tags and attributes with the related risks when allowed?

    Kind regards,

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Daryll Doyle


    Hi @yggydrasil,

    I’ve just updated the readme with better documentation of how to use these filters. Basically, it has to return an array and therefore as long as you return an array, there will be no issue.

    add_filter( 'svg_allowed_attributes', function ( $attributes ) {
        // Do what you want here...
        // This should return an array so add your attributes to
        // to the $attributes array before returning it. E.G.
        $attributes[] = 'target'; // This would allow the target="" attribute.
        return $attributes;
    } );

    This will enable your target attribute.

    In regards to the disallowed tags, that’s not something I keep track of, outside of the sanitiser repository and my local notes. If you’d like to see the allowed tags, feel free to dive into the code where you’ll find them.


    • This reply was modified 1 year, 9 months ago by Daryll Doyle.
    Thread Starter Yggy


    Hi Daryll,

    Thank you for updating the FAQ and add a working code example here!

    The allowed tags and attributes were easily found in the code, where I did the edit myself. Regarding the reference it was more why the current disallowed tags and attributes are a risk.

    Like for the target attribute I couldn’t find (search parameters for) resources why it is a risk. I assume you did research which to allow and which to disallow. Reason why I asked. 😉

    Anyway, thanks.

    Kind regards,

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘filter working code example + disallowed risk reference’ is closed to new replies.