-
-
Save Lewiscowles1986/44f059876ec205dd4d27 to your computer and use it in GitHub Desktop.
| <?php | |
| // Please see https://github.com/Lewiscowles1986/WordPressSVGPlugin from now on |
As I commented on twitter, please please add a caveat for current_user_can( 'unfiltered_html' ) -- allowing arbitrary svg uploads that could contain malicious scripts within the svgs is super scary.
ref: http://blog.guya.net/2014/02/17/svg-for-fun-and-phishing/
Hey guys,
@Dragonspence, apologies, I wont be supporting PHP 5.2 or 5.3,, they should not be used in production in 2015, anyone providing these versions to customers or their boss without a disclaimer in my opinion is doing their clients and or boss harm. I moved to PHP5.4 in 2012, and am now working with 5.5 and 5.6, so I don't support anything less than 5.4 as a matter of professional standards, and if asked to support 5.3 code specifically, I issue a disclaimer as part of professional conduct; but you are right, anyone else can add, it's pretty simple, not too big a deal. I am also pretty sure my function cannot be used anywhere else, but they should have mb_string replace if being used in any install with UTF-8 containing WordPress core files 😊
@georgestephanis, I wrote about this on the WordPress Trac. SVG is not the only format that allows this, I view it as needlessly restrictive, and the job of a good antivirus & malware suite, but https://github.com/grok/wordpress-plugin-scalable-vector-graphics seems to have some form of sanitization in his more feature-filled plugin (the sanitization AFAIK), which I am told will have 4.0 support brought in from this plugin soon ;). It also seems to have 5.3 support. I would say to anyone concerned about this, you are assuming and accepting within your plans uploads of content from people either not paying due diligence, or people who represent more of a security threat than just uploading SVG files with malicious elements. I would consider this, and move your scanner / sanitize to a background daemon with inotify of file changes so a report and remittance could be pursued (different approach entirely)
This is a great! Just what I needed. I did notice something and I am not sure if it is just me, but when enable the plugin I can upload SVG, but then I can't upload jpg's giving me an error message "Sorry, this file type is not permitted for security reasons". Is there something that I am missing?
Thanks, in advance
I have the same problem. Jpg's can't be uploaded for some reason. Any suggestions? Thanks!
Hello, same here, and for png's too. Here a solution that seems to work
add_action('admin_init', 'add_svg_upload');
function add_svg_upload() {
add_filter('upload_mimes', 'svg_upload_mimes');
ob_start();
add_action('shutdown', function() {
$final = '';
$ob_levels = count(ob_get_level());
for ($i = 0; $i < $ob_levels; $i++) {
$final .= ob_get_clean();
}
echo apply_filters('final_output', $final);
}, 0);
add_filter('final_output', function($content) {
$content = str_replace('<# } else if ( 'image' === data.type && data.sizes && data.sizes.full ) { #>',
'<# } else if ( 'svg+xml' === data.subtype ) { #>
<# } else if ( 'image' === data.type && data.sizes && data.sizes.full ) { #>',
$content
);
$content = str_replace(
'<# } else if ( 'image' === data.type && data.sizes ) { #>',
'<# } else if ( 'svg+xml' === data.subtype ) { #>
<# } else if ( 'image' === data.type && data.sizes ) { #>',
$content
);
return $content;
});
}
function svg_upload_mimes($existing_mimes=array()){
$existing_mimes['svg'] = 'image/svg+xml';
return $existing_mimes;
}
Oh hey guys, didn't see your comments there. JPG and PNG work from 4.1.2 until the most recent version, please check your other plugins and theme first ;)
Also I noticed the only mod was to existing_mimes being passed to the function, please link code in gists, you can fork them and it looks much better. I Have added it in as it does look like $mimes is appearing from nowhere, but it seems to work... strange.
hey lewis,
great plugin!
still there are things need to be done to make it perfect:
– if i add a svg to the tinymce field like a normal picture the height is 1 x 1 px
i tried many things with the first point but somehow my admin css does not grab the image in the tinymce at all.
Hey buddy,
weird for sure, just checked it out, the 1px x 1px error is WP internal, but I'll see what I can do to remit.
any news on this?
hey lewis did you check on this issue, it not a small one if you want to use svg in your site content.
@telemarker, the 1px x 1px is probably a problem with your CSS rules, you may need to pass new rules to tinyMCE about your grid or container CSS
Update to give multiple 🖕 to WP 4.5+ new custom logo incompatibility
Umm, I tried to activate and got this exception:
Plugin could not be activated because it triggered a fatal error.
Parse error: syntax error, unexpected '[' in /nas/content/staging/cpsbop/wp-content/plugins/lc-svg-upload.php on line 15
Advice?
Yes, Goldnate, I have the same problem. I had to revert back to plugin version 1.4.
@goldnate @sbguy your server is running an outdated version of PHP. Replace [] with array().
Just weighing in here -- I decided to remove the sanitization from my plugin mentioned above. The goal of the plugin is to enable the easy utilization of SVG, not to provide safety.
I think security plugins could do a better job about scanning files and such for that. I've chosen to narrow the focus of my plugin 😃
@grok, thanks for the update, I really do like what you have done with your plugin. Checkout the GitHub repo for some third-party contributed code (merge maybe?)
Only comment I would make is to either add support for PHP 5.2/3 (no closures) or patch this plugin with a version check and admin notice so things do not break. Other than that, looks good 😄