=== Safe SVG === Contributors: 10up, enshrined Tags: svg, sanitize, upload, sanitise, security, svg upload, image, vector, file, graphic, media, mime Requires at least: 4.7 Tested up to: 5.9 Stable tag: 1.9.10 Requires PHP: 7.0 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website == Description == Safe SVG is the best way to Allow SVG Uploads in WordPress! It gives you the ability to allow SVG uploads whilst making sure that they're sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views. #### Current Features * **Sanitised SVGs** - Don't open up security holes in your WordPress site by allowing uploads of unsanitised files. * **View SVGs in the Media Library** - Gone are the days of guessing which SVG is the correct one, we'll enable SVG previews in the WordPress media library. #### Features on the Roadmap * **SVGO Optimisation** - You'll have the option to run your SVGs through our SVGO server on upload to save you space. * **Choose Who Can Upload** - Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload. Initially a proof of concept for [#24251](https://core.trac.wordpress.org/ticket/24251). SVG Sanitization is done through the following library: [https://github.com/darylldoyle/svg-sanitizer](https://github.com/darylldoyle/svg-sanitizer). == Installation == Install through the WordPress directory or download, unzip and upload the files to your `/wp-content/plugins/` directory == Frequently Asked Questions == = Can we change the allowed attributes and tags? = Yes, this can be done using the `svg_allowed_attributes` and `svg_allowed_tags` filters. They take one argument that must be returned. See below for examples: add_filter( 'svg_allowed_attributes', function ( $attributes ) { // Do what you want here... // This should return an array so add your attributes to // to the $attributes array before returning it. E.G. $attributes[] = 'target'; // This would allow the target="" attribute. return $attributes; } ); add_filter( 'svg_allowed_tags', function ( $tags ) { // Do what you want here... // This should return an array so add your tags to // to the $tags array before returning it. E.G. $tags[] = 'use'; // This would allow the element. return $tags; } ); == Changelog == = 1.9.10 - 2022-02-23 = **Note that this release bumps the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.** * **Changed:** Bump WordPress minimum version from 4.0 to 4.7 (props [@cadic](https://github.com/cadic)). * **Changed:** Bump PHP minimum version from 5.6 to 7.0 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul)). * **Changed:** Update `enshrined/svg-sanitize` from 0.13.3 to 0.5.2 (props [@mehidi258](https://github.com/mehidi258), [@iamdharmesh](https://github.com/iamdharmesh), [@amdd-tim](https://github.com/amdd-tim), [@darylldoyle](https://github.com/darylldoyle), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). * **Changed:** Bump WordPress version "tested up to" 5.9 (props [@BBerg10up](https://github.com/BBerg10up), [@jeffpaul](https://github.com/jeffpaul), [@cadic](https://github.com/cadic)). * **Changed:** Updated library location and added a new build step (props [@darylldoyle](https://github.com/darylldoyle), [@dkotter](https://github.com/dkotter)). * **Changed:** Updated plugin assets and added docs and repo management workflows via GitHub Actions (props [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [@jeffpaul](https://github.com/jeffpaul)). * **Fixed:** Double slash being added in SVG file URL for newer uploads (props [@mehulkaklotar](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman)). * **Fixed:** Float value casting for SVGs when fetching width and height (props [@mehulkaklotar](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman)). * **Fixed:** Use calculated size for SVGs instead of using `false` (props [@dkotter](https://github.com/dkotter), [@darylldoyle](https://github.com/darylldoyle), [@fritteli](https://github.com/fritteli)). * **Fixed:** Add better file type checking when looking for SVG files (props [@davidhamann](https://github.com/davidhamann), [@dkotter](https://github.com/dkotter), [@darylldoyle](https://github.com/darylldoyle)). = 1.9.9 - 2020-05-07= * **Fixed:** Issue where 100% width is accidentally converted to 100px width (props [@joehoyle](https://github.com/joehoyle)). = 1.9.8 - 2020-05-07= * **Changed:** Underlying library update. = 1.9.7 - 2019-12-10= * **Changed:** Underlying library update. = 1.9.6 - 2019-11-07= * **Security:** Underlying library update that fixes a security issue. = 1.9.5 - 2019-11-04= * **Security:** Underlying library update that fixes some security issues. = 1.9.4 - 2019-08-21= * **Fixed:** Bug causing lots of error log output to do with `safe_svg::fix_direct_image_output()`. = 1.9.3 - 2019-02-19= * **Fixed:** Bug causing 0 height and width SVGs. = 1.9.2 - 2019-02-14= * **Fixed:** Warning about an Illegal string offset. * **Fixed:** Issue if something other than a WP_Post object is passed in via the `wp_get_attachment_image_attributes` filter. = 1.9.1 - 2019-01-29= * **Fixed:** Warning that was being generated by a change made in 1.9.0. = 1.9.0 - 2019-01-03= * **Changed:** If an image is the correct ratio, allow skipping of the crop popup when setting header/logo images with SVGs. = 1.8.1 - 2018-11-22= * **Changed:** Don't let errors break upload if uploading an empty file * **Fixed:** Featured image display in Gutenberg. Props [@dmhendricks](https://github.com/dmhendricks) :) = 1.8.0 - 2018-11-04= * **Added:** Pull SVG dimensions from the width/height or viewbox attributes of the SVG. * **Added:** role="img" attribute to SVGs. = 1.7.1 - 2018-10-01= * **Changed:** Underlying lib and added new filters for filtering allowed tags and attributes. = 1.7.0 - 2018-10-01= * **Added:** Allow devs to filter tags and attrs within WordPress. = 1.6.1 - 2018-03-17= * **Changed:** Images will now use the size chosen when inserted into the page rather than default to 2000px everytime. = 1.6.0 - 2017-12-20= * **Added:** Fairly big new feature - The library now allows `` elements as long as they don't reference external files! * **Fixed:** You can now also embed safe image types within the SVG and not have them stripped (PNG, GIF, JPG). = 1.5.3 - 2017-11-16= * **Fixed:** 1.5.2 introduced an issue that can freeze the media library. This fixes that issue. Sorry! = 1.5.2 - 2017-11-15= * **Changed:** Tested with 4.9.0. * **Fixed:** Issue with SVGs when regenerating media. = 1.5.1 - 2017-08-21= * **Fixed:** PHP strict standards warning. = 1.5.0 - 2017-06-20= * **Changed:** Library update. * **Changed:** role, aria- and data- attributes are now whitelisted to improve accessibility. = 1.4.5 - 2017-06-18= * **Changed:** Library update. * **Fixed:** some issues with defining the size of an SVG. = 1.4.4 - 2017-06-07= * **Fixed:** SVGs now display as featured images in the admin area. = 1.4.3 - 2017-03-06= * **Added:** WordPress 4.7.3 Compatibility. * **Changed:** Expanded SVG previews in media library. = 1.4.2 - 2017-02-26= * **Added:** Check / fix for when mb_* functions are not available. = 1.4.1 - 2017-02-23= * **Changed:** Underlying library to allow attributes/tags in all case variations. = 1.4.0 - 2017-02-21= * **Added:** Ability to preview SVG on both grid and list view in the wp-admin media area * **Changed:** Underlying library version. = 1.3.4 - 2017-02-20= * **Fixed:** SVGZ uploads failing and not sanitising correctly. = 1.3.3 - 2017-02-15= * **Changed:** Allow SVGZ uploads. = 1.3.2 - 2017-01-27= * **Fixed:** Mime type issue in 4.7.1. Mad props to [@LewisCowles1986](https://github.com/LewisCowles1986). = 1.3.1 - 2016-12-01= * **Changed:** Underlying library version. = 1.3.0 - 2016-10-10= * **Changed:** Minify SVGs after cleaning so they can be loaded correctly through `file_get_contents`. = 1.2.0 - 2016-02-27= * **Added:** Support for camel case attributes such as viewBox. = 1.1.1 - 2016-07-06= * **Fixed:** Issue with empty svg elements self-closing. = 1.1.0 - 2015-07-04= * **Added:** I18n. * **Added:** da, de ,en, es, fr, nl and ru translations. * **Fixed:** Issue with filename not being pulled over on failed uploads. = 1.0.0 - 2015-07-03= * Initial Release. == Upgrade Notice == = 1.9.10 = * Important: bumped the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.