Support » Plugin: Safe SVG » “Pending Full Review”

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Daryll Doyle

    (@enshrined)

    Hi @skvandeusen,

    That’s correct, there has been a bypass found for the underlying sanitiser. The WordPress team have disabled downloads until a fix has been confirmed.

    I’m currently working on a fix and am hoping to have something ready by the end of the week, although we will have to wait for the WordPress team to review the fix before its re-enabled.

    In my opinion, there’s no real reason to worry. It’s still more secure than any other SVG option out there (which offer no sanitisation) and a fix will be out shortly for the bypass found.

    Sorry for the inconvenience and I hope we can get it sorted soon.

    Cheers,
    Daryll

    Ah— that sounds like something I don’t need to be extremely worried about as I’m uploading SVG’s that I create myself 🙂

    I just wish WP repo would be more detailed about why these things happen. I’m glad they are doing their best to make sure things are safe… but there’s no distinction between something small (like this) and something catastrophic.

    Plugin Author Daryll Doyle

    (@enshrined)

    Hi All,

    Just as an update, a fix for the issue has been found and committed to the WordPress repository.

    We now have to wait for the WordPress plugin team to review the fix and then it should be available for you to all update to.

    Thanks for your patience.

    Cheers,
    Daryll

    Thanks for the update @enshrined

    Thanks for the update. 🙂 Also have this on quite a few sites. Deploying a site right now and I saw it didn’t come up in the search. Glad it’s not gone for good.

    ah so are SVG only a problem if you don’t make them yourself? So, for instance, I make my own in illustrator does that mean they don’t need sanitising?

    Plugin Author Daryll Doyle

    (@enshrined)

    Hi All,

    The WordPress review has now gone through successfully and the plugin is available for download. Please make sure you all upgrade to the latest version 1.9.6 in order to be fully secure again!

    Thanks for your patience while we got this sorted 🙂

    Cheers,
    Daryll

    N/A

    • This reply was modified 4 months, 3 weeks ago by dancappdesign. Reason: Own mistake. Solved

    are SVG only a problem if you don’t make them yourself? So, for instance, I make my own in illustrator does that mean they don’t need sanitising?

    Correct. (unless your computer or site are pwned in some unspeakable way to attack SVGs, but if that is the case, you have bigger problems)

    For client’s who are too cheap to buy the pro version (which is excellent, by the way), I run my SVGs through svgo anyway regardless of source, because why not?

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.