PHP South Coast 2015

I attended my first ever PHP conference yesterday, PHP South Coast. I must say, I had a great time, not only were people very welcoming, but the talks were also extremely good. The talks I attended are as follows:

Stand out talks for me were by Cal, Jeroen, Phil and Harrie, although all were thoroughly enjoyable. I wish I had some pictures to share but unfortunately I was paying too much attention to the actual content of the talks to remember to take some, you will be able to see some at #phpsc15 I’m sure.

Cal’s opening keynote was extremely powerful and emotive. He spoke about the need for a community and how communities, like living organisms, can thrive and fail based upon small changes. Getting involved in the PHP community is something that I’ve always wanted to do, going as far as trying to set up PHPCornwall. Due to lack of time, I’ve never got that into it but this talk has really given me the push I need to get bits sorted. PHPCornwall will be a thing soon, I promise!

Jeroen’s talk on Teaming up Backbone.js and the new WordPress API really got me thinking about what we can actually do with WordPress. I’ve already used the WP-API for a few things but always to power websites. The thought of powering a native application with it had only recently been mentioned to me but after seeing this talk it makes perfect sense. WordPress is an extremely powerful system and teamed up with the WP-API it seems that there’s no reason we can’t use it as a pre-built data store for other things we need!

Phil’s talk on API Pain Points was another good overview of what he goes over in his book Build API’s You Won’t Hate. This book was a saviour to me when building an internal API recently and I encourage anyone who has to build an API to read it. Whilst the talk didn’t really cover any new material if you’ve read the book, it was good to see the man himself in action. My only regret was not grabbing him at some point to say thank you. There’s always next time I suppose!

Harrie’s talk on Database version control without pain was probably one I was most interested in before the conference as it’s always been a massive annoyance for me. Harrie started off talking about his search for the silver bullet in DB Version Control, only to find out that there isn’t one and that the methodology you use is down to what you and your team feel most comfortable using. Whilst disappointing to know it’ll still be a pain, he showed some great tools for helping with the management and some methodologies I had never come across before. It was a very thought provoking talk.

Maybe I’ll write up a bit more about this at a later date but for now I’m going to go and do some more playing with the WP-API!

Sanitize SVGs in WordPress

So my plugin Safe SVG has just been accepted into the WordPress plugin directory. Whilst mainly a proof of concept, I’m hoping that this plugin will help convince the core team that SVGs, with the right sanitization should become part of core.

My major argument for allowing SVGs in core with sanitization is that there are currently 128 other SVG upload plugins in the plugin directory (source), plus the likes of the posts on blogs like CSS Tricks such as this one that all show you how to allow SVG uploads in WordPress, but don’t address or sometimes even mention the massive security risks that come with allowing users to upload SVGs.

SVGs should be considered as standalone XML applications, there are a huge number of vulnerabilities that can be attacked. For example, some of the easiest to implement are XXE attacks and the Billion Laughs attack. Safe SVG nullifies these attacks by removing the DOCTYPE from the SVG file, something so simple yet overlooked by most other plugins.

Safe SVG also protects against XSS attacks embedded within the XML file by defining a strict whitelist of elements and attributes allowed within the SVG, anything not on these whitelists are removed. Whilst this may break some Javascript powered SVG animations, I feel that is a small price to pay for peace of mind when it comes to your users security.

Probably the best way to learn more about Safe SVG is to go and download it from the WordPress plugin directory and take a look through the code, alternatively you can see the library it’s built upon on Github. If you find a bypass or have any suggestions on how to improve this plugin or the underlying library, please don’t hesitate to contact me and let me know your thoughts.

Safe SVG for WordPress

After a lot of testing of svg-sanitizer I’ve finally decided to make a WordPress plugin for it. This is more of a PoC to show that it can be done.

Once installed, the plugin will hook into the uploads and automatically sanitize any SVGs that you upload.

I’ll update this post when it’s on the WordPress directory but for now, here’s the download:

Click here to download