<?php | |
// Please see https://github.com/Lewiscowles1986/WordPressSVGPlugin from now on |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Daronspence
commented
Apr 14, 2015
Only comment I would make is to either add support for PHP 5.2/3 (no closures) or patch this plugin with a version check and admin notice so things do not break. Other than that, looks good |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
georgestephanis
Apr 14, 2015
As I commented on twitter, please please add a caveat for current_user_can( 'unfiltered_html' )
-- allowing arbitrary svg uploads that could contain malicious scripts within the svgs is super scary.
ref: http://blog.guya.net/2014/02/17/svg-for-fun-and-phishing/
georgestephanis
commented
Apr 14, 2015
As I commented on twitter, please please add a caveat for ref: http://blog.guya.net/2014/02/17/svg-for-fun-and-phishing/ |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Lewiscowles1986
Apr 15, 2015
Hey guys,
@dragonspence, apologies, I wont be supporting PHP 5.2 or 5.3,, they should not be used in production in 2015, anyone providing these versions to customers or their boss without a disclaimer in my opinion is doing their clients and or boss harm. I moved to PHP5.4 in 2012, and am now working with 5.5 and 5.6, so I don't support anything less than 5.4 as a matter of professional standards, and if asked to support 5.3 code specifically, I issue a disclaimer as part of professional conduct; but you are right, anyone else can add, it's pretty simple, not too big a deal. I am also pretty sure my function cannot be used anywhere else, but they should have mb_string replace if being used in any install with UTF-8 containing WordPress core files
@georgestephanis, I wrote about this on the WordPress Trac. SVG is not the only format that allows this, I view it as needlessly restrictive, and the job of a good antivirus & malware suite, but https://github.com/grok/wordpress-plugin-scalable-vector-graphics seems to have some form of sanitization in his more feature-filled plugin (the sanitization AFAIK), which I am told will have 4.0 support brought in from this plugin soon ;). It also seems to have 5.3 support. I would say to anyone concerned about this, you are assuming and accepting within your plans uploads of content from people either not paying due diligence, or people who represent more of a security threat than just uploading SVG files with malicious elements. I would consider this, and move your scanner / sanitize to a background daemon with inotify of file changes so a report and remittance could be pursued (different approach entirely)
Hey guys, @dragonspence, apologies, I wont be supporting PHP 5.2 or 5.3,, they should not be used in production in 2015, anyone providing these versions to customers or their boss without a disclaimer in my opinion is doing their clients and or boss harm. I moved to PHP5.4 in 2012, and am now working with 5.5 and 5.6, so I don't support anything less than 5.4 as a matter of professional standards, and if asked to support 5.3 code specifically, I issue a disclaimer as part of professional conduct; but you are right, anyone else can add, it's pretty simple, not too big a deal. I am also pretty sure my function cannot be used anywhere else, but they should have mb_string replace if being used in any install with UTF-8 containing WordPress core files @georgestephanis, I wrote about this on the WordPress Trac. SVG is not the only format that allows this, I view it as needlessly restrictive, and the job of a good antivirus & malware suite, but https://github.com/grok/wordpress-plugin-scalable-vector-graphics seems to have some form of sanitization in his more feature-filled plugin (the sanitization AFAIK), which I am told will have 4.0 support brought in from this plugin soon ;). It also seems to have 5.3 support. I would say to anyone concerned about this, you are assuming and accepting within your plans uploads of content from people either not paying due diligence, or people who represent more of a security threat than just uploading SVG files with malicious elements. I would consider this, and move your scanner / sanitize to a background daemon with inotify of file changes so a report and remittance could be pursued (different approach entirely) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
gcupat
Apr 20, 2015
This is a great! Just what I needed. I did notice something and I am not sure if it is just me, but when enable the plugin I can upload SVG, but then I can't upload jpg's giving me an error message "Sorry, this file type is not permitted for security reasons". Is there something that I am missing?
Thanks, in advance
gcupat
commented
Apr 20, 2015
This is a great! Just what I needed. I did notice something and I am not sure if it is just me, but when enable the plugin I can upload SVG, but then I can't upload jpg's giving me an error message "Sorry, this file type is not permitted for security reasons". Is there something that I am missing? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
tomyorkey
Apr 23, 2015
I have the same problem. Jpg's can't be uploaded for some reason. Any suggestions? Thanks!
tomyorkey
commented
Apr 23, 2015
I have the same problem. Jpg's can't be uploaded for some reason. Any suggestions? Thanks! |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Kateriine
Apr 28, 2015
Hello, same here, and for png's too. Here a solution that seems to work
add_action('admin_init', 'add_svg_upload');
function add_svg_upload() {
add_filter('upload_mimes', 'svg_upload_mimes');
ob_start();
add_action('shutdown', function() {
$final = '';
$ob_levels = count(ob_get_level());
for ($i = 0; $i < $ob_levels; $i++) {
$final .= ob_get_clean();
}
echo apply_filters('final_output', $final);
}, 0);
add_filter('final_output', function($content) {
$content = str_replace('<# } else if ( 'image' === data.type && data.sizes && data.sizes.full ) { #>',
'<# } else if ( 'svg+xml' === data.subtype ) { #>
<# } else if ( 'image' === data.type && data.sizes && data.sizes.full ) { #>',
$content
);
$content = str_replace(
'<# } else if ( 'image' === data.type && data.sizes ) { #>',
'<# } else if ( 'svg+xml' === data.subtype ) { #>
<# } else if ( 'image' === data.type && data.sizes ) { #>',
$content
);
return $content;
});
}
function svg_upload_mimes($existing_mimes=array()){
$existing_mimes['svg'] = 'image/svg+xml';
return $existing_mimes;
}
Kateriine
commented
Apr 28, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Lewiscowles1986
Jun 2, 2015
Oh hey guys, didn't see your comments there. JPG and PNG work from 4.1.2 until the most recent version, please check your other plugins and theme first ;)
Also I noticed the only mod was to existing_mimes being passed to the function, please link code in gists, you can fork them and it looks much better. I Have added it in as it does look like $mimes is appearing from nowhere, but it seems to work... strange.
Oh hey guys, didn't see your comments there. JPG and PNG work from 4.1.2 until the most recent version, please check your other plugins and theme first ;) Also I noticed the only mod was to existing_mimes being passed to the function, please link code in gists, you can fork them and it looks much better. I Have added it in as it does look like $mimes is appearing from nowhere, but it seems to work... strange. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
telemarker
Jun 13, 2015
hey lewis,
great plugin!
still there are things need to be done to make it perfect:
โ if i add a svg to the tinymce field like a normal picture the height is 1 x 1 px
i tried many things with the first point but somehow my admin css does not grab the image in the tinymce at all.
telemarker
commented
Jun 13, 2015
hey lewis, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Lewiscowles1986
Jun 13, 2015
Hey buddy,
weird for sure, just checked it out, the 1px x 1px error is WP internal, but I'll see what I can do to remit.
Hey buddy, weird for sure, just checked it out, the 1px x 1px error is WP internal, but I'll see what I can do to remit. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
telemarker
commented
Jun 22, 2015
any news on this? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
telemarker
Jul 19, 2015
hey lewis did you check on this issue, it not a small one if you want to use svg in your site content.
telemarker
commented
Jul 19, 2015
hey lewis did you check on this issue, it not a small one if you want to use svg in your site content. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Lewiscowles1986
Apr 3, 2016
@telemarker, the 1px x 1px is probably a problem with your CSS rules, you may need to pass new rules to tinyMCE about your grid or container CSS
@telemarker, the 1px x 1px is probably a problem with your CSS rules, you may need to pass new rules to tinyMCE about your grid or container CSS |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Lewiscowles1986
May 17, 2016
Update to give multiple
Update to give multiple |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
goldnate
May 24, 2016
Umm, I tried to activate and got this exception:
Plugin could not be activated because it triggered a fatal error.
Parse error: syntax error, unexpected '[' in /nas/content/staging/cpsbop/wp-content/plugins/lc-svg-upload.php on line 15
Advice?
goldnate
commented
May 24, 2016
Umm, I tried to activate and got this exception:
Advice? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
sbguy
Jun 22, 2016
Yes, Goldnate, I have the same problem. I had to revert back to plugin version 1.4.
sbguy
commented
Jun 22, 2016
Yes, Goldnate, I have the same problem. I had to revert back to plugin version 1.4. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
grok
Jul 28, 2016
Just weighing in here -- I decided to remove the sanitization from my plugin mentioned above. The goal of the plugin is to enable the easy utilization of SVG, not to provide safety.
I think security plugins could do a better job about scanning files and such for that. I've chosen to narrow the focus of my plugin
grok
commented
Jul 28, 2016
Just weighing in here -- I decided to remove the sanitization from my plugin mentioned above. The goal of the plugin is to enable the easy utilization of SVG, not to provide safety. I think security plugins could do a better job about scanning files and such for that. I've chosen to narrow the focus of my plugin |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Lewiscowles1986
Aug 4, 2016
@grok, thanks for the update, I really do like what you have done with your plugin. Checkout the GitHub repo for some third-party contributed code (merge maybe?)
@grok, thanks for the update, I really do like what you have done with your plugin. Checkout the GitHub repo for some third-party contributed code (merge maybe?) |
Only comment I would make is to either add support for PHP 5.2/3 (no closures) or patch this plugin with a version check and admin notice so things do not break. Other than that, looks good๐