[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types

WordPress Trac noreply at wordpress.org
Wed Feb 15 00:08:01 UTC 2017


#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
 Reporter:  JustinSainton  |       Owner:
     Type:  enhancement    |      Status:  reopened
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Upload         |     Version:
 Severity:  normal         |  Resolution:
 Keywords:  early          |     Focuses:
---------------------------+------------------------------

Comment (by iandunn):

 Replying to [comment:72 drrobotnik]:
 > Did anyone acknowledge @pollett proof of concept patch? Is KSES
 filtering not an option?

 I think we'll need something much more much sophisticated than KSES, given
 the huge number of elements and attributes supported by SVG, as well as
 the complexity and wide variety of attack vectors.

 I haven't tested it, but I'm guessing that a simple KSES approach would
 end up blocking way too may things to be useful for real-world SVGs. The
 plugin that @enshrined built (see comment:39) is probably much closer to a
 real-world solution, but I think there's still a lot of work to do before
 Core can be confident enough to merge it.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:73>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list