Hi @skvandeusen,
That’s correct, there has been a bypass found for the underlying sanitiser. The WordPress team have disabled downloads until a fix has been confirmed.
I’m currently working on a fix and am hoping to have something ready by the end of the week, although we will have to wait for the WordPress team to review the fix before its re-enabled.
In my opinion, there’s no real reason to worry. It’s still more secure than any other SVG option out there (which offer no sanitisation) and a fix will be out shortly for the bypass found.
Sorry for the inconvenience and I hope we can get it sorted soon.
Cheers,
Daryll
Ah— that sounds like something I don’t need to be extremely worried about as I’m uploading SVG’s that I create myself 🙂
I just wish WP repo would be more detailed about why these things happen. I’m glad they are doing their best to make sure things are safe… but there’s no distinction between something small (like this) and something catastrophic.
Hi All,
Just as an update, a fix for the issue has been found and committed to the WordPress repository.
We now have to wait for the WordPress plugin team to review the fix and then it should be available for you to all update to.
Thanks for your patience.
Cheers,
Daryll
Thanks for the update @enshrined
Thanks for the update. 🙂 Also have this on quite a few sites. Deploying a site right now and I saw it didn’t come up in the search. Glad it’s not gone for good.
ah so are SVG only a problem if you don’t make them yourself? So, for instance, I make my own in illustrator does that mean they don’t need sanitising?
Hi All,
The WordPress review has now gone through successfully and the plugin is available for download. Please make sure you all upgrade to the latest version 1.9.6 in order to be fully secure again!
Thanks for your patience while we got this sorted 🙂
Cheers,
Daryll
are SVG only a problem if you don’t make them yourself? So, for instance, I make my own in illustrator does that mean they don’t need sanitising?
Correct. (unless your computer or site are pwned in some unspeakable way to attack SVGs, but if that is the case, you have bigger problems)
For client’s who are too cheap to buy the pro version (which is excellent, by the way), I run my SVGs through svgo anyway regardless of source, because why not?
