This is from a talk I gave at WordCamp London 2018. Introduction These is briefly what I’m going to try and cover in this post. We’ll start with what an SVG actually is, moving on to the issues with SVGs on the web, why they’re dangerous and what dangers they present. I’ll then look at how we can sanitise them where we’ll cover some of the issues with sanitisation...
Advanced Custom Fields is great but sometimes, especially when re-using field groups across templates, the admin area can get a little overwhelming. Tabs help but not when you’re using multiple field groups. To get around this I used to use this plugin for merging ACF tabs. It worked very well but hasn’t been updated in around 2 years and therefore doesn’t work at all on the new...
Since the media changes in WordPress 4.5 there have been a number of reports of upload issues, such as uploads timing out, as mentioned in this trac ticket. The reason behind this is very possibly due to the changes in the ImageMagick class. Whilst images are now handled better than before, it’s also added slightly more overhead to the code that resizes images. Now for a standard WordPress...
The Problem Recently whilst working on an outsourced project at We Are DWM we had a Laravel app and a WordPress site running side by side. The client had wanted the same design across both “sites” and for it to appear as seamless as possible. This really gave us two options: Maintain two separate sets of CSS and templates, one for WordPress and another for Laravel, or Find a way to...
So recently I’ve been moving a fair few WordPress sites over to run completely on HTTPS and whilst this should be a simple URL switch, WordPress can make it a bit of a pain. Therefore, below is my preferred way of making the transition. For the sake of this post, I’m going to assume you’ve already purchased and installed your SSL certificate (if you haven’t Namecheap are...
Don’t. Nope, stop. You developers/bloggers who keep passing the below code around as a valid way of allowing SVG uploads in WordPress are killing me inside. Yes, this will allow you to upload SVGs in WordPress, it will also allow someone to upload an XML Bomb or an SVG with an XXE attack or god forbid a lovely XSS attack. You see, too many developers are allowing SVG uploads without...
I’ve been working with WordPress multisite a lot recently and whilst all in all it’s not too bad, there is one thing that really pisses me off about it, wp-signup.php. No matter how many times I try and get my head round the contents of this file, I still struggle. It just seems like this file is a complete cluster-fuck of functions, html and css. On top of that, I feel there are...
I attended my first ever PHP conference yesterday, PHP South Coast. I must say, I had a great time, not only were people very welcoming, but the talks were also extremely good. The talks I attended are as follows: Keynote: Cal Evans Parallel PHP: Joe Watkins The Art of Programming: Erika Heidi Teaming up Backbone.js and the new WordPress API: Jeroen van Dijk API Pain Points: Phil Sturgeon...
So my plugin Safe SVG has just been accepted into the WordPress plugin directory. Whilst mainly a proof of concept, I’m hoping that this plugin will help convince the core team that SVGs, with the right sanitization should become part of core. My major argument for allowing SVGs in core with sanitization is that there are currently 128 other SVG upload plugins in the plugin directory...
After a lot of testing of svg-sanitizer I’ve finally decided to make a WordPress plugin for it. This is more of a PoC to show that it can be done.
Once installed, the plugin will hook into the uploads and automatically sanitize any SVGs that you upload.
I’ll update this post when it’s on the WordPress directory but for now, here’s the download:
Click here to download