How to allow SVG uploads in WordPress

Don’t.

Nope, stop.

You developers/bloggers who keep passing the below code around as a valid way of allowing SVG uploads in WordPress are killing me inside.

function cc_mime_types($mimes) {
    $mimes['svg'] = 'image/svg+xml';
    return $mimes;
}
add_filter('upload_mimes', 'cc_mime_types');

Yes, this will allow you to upload SVGs in WordPress, it will also allow someone to upload an XML Bomb or an SVG with an XXE attack or god forbid a lovely XSS attack. You see, too many developers are allowing SVG uploads without thinking about what that means. Seriously, why do you think WordPress hasn’t added SVG uploads into core yet? Not because they want to make life difficult but because they understand the security risks that are imposed by allowing an SVG to be uploaded.

There is currently, as far as I’m aware, no well tested PHP library for SVG sanitisation. There have been a few attempts but as far as I can tell, they’ve all been far too lenient on allowing potentially dangerous attributes through. To me, this means they either are too trusting, or don’t fully understand the potential payloads that can be embedded within an SVG.

The library I’ve been working on has taken the opposite stance. By default, be overly aggressive when stripping attributes and elements and then allow people to add their own whitelist if they need to. This, I think is the only feasible way of properly sanitising an SVG.

As for WordPress and SVGs, please stop using the above code. It makes me cringe every time I see it, especially when I think that this is actually in use on production sites. Fine, play with SVGs locally but to put this on a public facing server? Well, you’re a braver person than me.

Please people, use SVGs in your front end builds, use it as backgrounds, images, inline, whatever, but please stop allowing people to upload un-sanitised SVGs to the system. There’s no difference between allowing an SVG upload to allowing a PHP upload. For those of you that think that allowing a PHP upload is OK, because there’s obviously a fair few of you please stop developing. Seriously.

/rant

Why I hate the WordPress signup page

I’ve been working with WordPress multisite a lot recently and whilst all in all it’s not too bad, there is one thing that really pisses me off about it, wp-signup.php. No matter how many times I try and get my head round the contents of this file, I still struggle.

It just seems like this file is a complete cluster-fuck of functions, html and css. On top of that, I feel there are insufficient hooks and filters to allow you to customise it properly without hacking the file to pieces.

I’ve had to style up a few signup pages recently for a project of ours and it was that much of a pain in the ass, I ended up using Gravity Forms to create a custom signup page that was 100 times better looking and easier to style.

Now, I’m not saying that wp-signup.php is useless, it does it’s job and it seems to do it well, my only gripe is that it’s so unstructured and hard to customise. That’s something that can be fixed though and it’s my hope that someone will address this in time for WordPress 4.4. I think I may have a crack at it this week and see what happens, we’ll see though.