Daryll Doyle WordPress Development and Consultancy in Cornwall

CategorySecurity

How to properly include inline SVGs in a WordPress theme

H

SVGs are used all the time in WordPress themes and for a good reason, they are scalable, small in size and if we include them inline we can change colours etc without needing another image. There is one thing that bugs me when I see this though, especially with user uploaded SVGs; the way they’re included in the theme. There are 3 real ways that I’ve seen it done: Using...

Securing SVG Uploads in WordPress

S

This is from a talk I gave at WordCamp London 2018. Introduction These is briefly what I’m going to try and cover in this post. We’ll start with what an SVG actually is, moving on to the issues with SVGs on the web, why they’re dangerous and what dangers they present. I’ll then look at how we can sanitise them where we’ll cover some of the issues with sanitisation...

Moving WordPress onto HTTPS

M

So recently I’ve been moving a fair few WordPress sites over to run completely on HTTPS and whilst this should be a simple URL switch, WordPress can make it a bit of a pain. Therefore, below is my preferred way of making the transition. For the sake of this post, I’m going to assume you’ve already purchased and installed your SSL certificate (if you haven’t Namecheap are...

How to allow SVG uploads in WordPress

H

Don’t. Nope, stop. You developers/bloggers who keep passing the below code around as a valid way of allowing SVG uploads in WordPress are killing me inside. Yes, this will allow you to upload SVGs in WordPress, it will also allow someone to upload an XML Bomb or an SVG with an XXE attack or god forbid a lovely XSS attack. You see, too many developers are allowing SVG uploads without...

Sanitize SVGs in WordPress

S

So my plugin Safe SVG has just been accepted into the WordPress plugin directory. Whilst mainly a proof of concept, I’m hoping that this plugin will help convince the core team that SVGs, with the right sanitization should become part of core. My major argument for allowing SVGs in core with sanitization is that there are currently 128 other SVG upload plugins in the plugin directory...

Daryll Doyle WordPress Development and Consultancy in Cornwall