Safely Enabling SVG Support in WordPress

Or… Should the title be “Wot?! WordPress doesn’t support SVG?!!”

The Scalable Vector Graphics image format was released over 17 years ago on 04/09/2001 and the current version was released 8 years ago (v1.1 on 16/08/2011). All current major browsers support displaying SVG. As shown in the NLUG SVG talk recently, there are very good reasons to take advantage of using SVG, especially so for our present day ever bigger ever more hi-res high resolution displays (for the arbitrary scaling bit!). So why does WordPress (normally) not support the use of SVG?…

A rich feature of SVG is that it uses XML. With all the advantages of using XML also comes the vulnerability of potentially hosting exploits and malware… This has lead to a very long discussion regarding SVG support on WordPress: “#24251 reopened enhancement Reconsider SVG inclusion to get_allowed_mime_types“. That request was opened 6 years ago and is still under discussion…

One safe way to add SVG support is to only permit ‘trusted’ users to upload (known good or assumed safe) SVG files. Additionally, also good is to make use of a SVG sanitizer to stop any SVG/XML vulnerabilities affecting your WordPress site.

One such sanitizer SVG plugin for WordPress is Safe SVG By Daryll Doyle: “Allows SVG uploads into WordPress and sanitizes the SVG before saving it”. (Note: No recommendation whatsoever is given! Please check for yourself and this is all at your own risk if used.)

Further details of SVG and for enabling SVG on WordPress can be found on this Kinsta article.

Ofcourse, there is nothing better than to look at the SVG XML data for yourself to check that there is no obfuscated or extraneous code in there. The simpler and cleaner the SVG code is, the better! Minimal is good 🙂

Good luck!

Leave a Reply