Last active
February 18, 2023 05:19
-
-
Save Ciantic/ac5723093fff59fc36d2c54d2732aac3 to your computer and use it in GitHub Desktop.
WordPress allow uploading SVG, even without the XML declaration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // Mind you, this does not make SVG files safe. This script is meant for sites where only trusted people can upload. | |
| add_action("init", function() { | |
| // First line of defence defused | |
| add_filter('upload_mimes', function ($mimes) { | |
| $mimes['svg'] = 'image/svg+xml'; | |
| return $mimes; | |
| }); | |
| // Add the XML Declaration if it's missing (otherwise WordPress does not allow uploads) | |
| add_filter("wp_handle_upload_prefilter", function ($upload) { | |
| if (!empty($upload["type"]) && $upload["type"] === "image/svg+xml") { | |
| $contents = file_get_contents($upload["tmp_name"]); | |
| if (strpos($contents, "<?xml") === false) { | |
| file_put_contents($upload["tmp_name"], '<?xml version="1.0" encoding="UTF-8"?>' . $contents); | |
| } | |
| } | |
| return $upload; | |
| }, 10, 1); | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment