[wp-trac] [WordPress Trac] #63149: safecss_filter_attr does not support base64 SVG image in background-image.
WordPress Trac
noreply at wordpress.org
Sat Mar 22 22:51:47 UTC 2025
#63149: safecss_filter_attr does not support base64 SVG image in background-image.
--------------------------+------------------------------
Reporter: jamal59 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.7.2
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
--------------------------+------------------------------
Changes (by SirLouen):
* keywords: => 2nd-opinion
Comment:
Hello @jamal59,
Welcome to Trac
I'm assuming that you are trying to santize the css, but there is a
problem here with SVG: They can contain javascript code being potentially
dangerous for a XSS attack.
Therefore, as far as I know, you should be doing the heavylifting when you
want to deal with SVG
If you still want to permit SVG because you feel they are in a safe
environment, there a filter called
[https://developer.wordpress.org/reference/hooks/safe_style_css/
`safe_style_css`] that might be handy in this situation to "deactivate"
the `safe_filter_attr` for example for, `background-image`. Then you could
do the sanitizing by yourself using some placeholders instead of the SVG
and `str_replace` to put them back after the `safecss_filter_attr`
Also, I recommend you to check this plugin's code: https://github.com/10up
/safe-svg
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63149#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list