{"id":30246736,"url":"https://github.com/roots/allow-svg","last_synced_at":"2025-08-15T05:38:29.712Z","repository":{"id":307494515,"uuid":"1026830774","full_name":"roots/allow-svg","owner":"roots","description":"A WordPress plugin that enables SVG uploads with validation to block malicious files.","archived":false,"fork":false,"pushed_at":"2025-07-31T13:50:35.000Z","size":29,"stargazers_count":18,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-08T08:58:21.928Z","etag":null,"topics":["wordpress-plugin","wordpress-svg"],"latest_commit_sha":null,"homepage":"https://github.com/roots/allow-svg","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/roots.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"roots"}},"created_at":"2025-07-26T17:47:43.000Z","updated_at":"2025-08-07T06:33:45.000Z","dependencies_parsed_at":"2025-07-31T17:18:51.145Z","dependency_job_id":null,"html_url":"https://github.com/roots/allow-svg","commit_stats":null,"previous_names":["roots/allow-svg"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/roots/allow-svg","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roots%2Fallow-svg","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roots%2Fallow-svg/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roots%2Fallow-svg/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roots%2Fallow-svg/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/roots","download_url":"https://codeload.github.com/roots/allow-svg/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roots%2Fallow-svg/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270528662,"owners_count":24601125,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-15T02:00:12.559Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["wordpress-plugin","wordpress-svg"],"created_at":"2025-08-15T05:38:23.221Z","updated_at":"2025-08-15T05:38:29.700Z","avatar_url":"https://github.com/roots.png","language":"PHP","funding_links":["https://github.com/sponsors/roots"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://packagist.org/packages/roots/allow-svg\"\u003e\u003cimg alt=\"Packagist Downloads\" src=\"https://img.shields.io/packagist/dt/roots/allow-svg?label=downloads\u0026colorB=2b3072\u0026colorA=525ddc\u0026style=flat-square\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/roots/allow-svg/actions/workflows/tests.yml\"\u003e\u003cimg alt=\"Build Status\" src=\"https://img.shields.io/github/actions/workflow/status/roots/allow-svg/tests.yml?branch=main\u0026logo=github\u0026label=CI\u0026style=flat-square\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://bsky.app/profile/roots.io\"\u003e\u003cimg alt=\"Follow roots.io on Bluesky\" src=\"https://img.shields.io/badge/follow-@roots.io-0085ff?logo=bluesky\u0026style=flat-square\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# Allow SVG\n\nA WordPress plugin that enables SVG uploads with validation to block malicious files.\n\n\u003e WordPress still lacks native SVG support after [12+ years of discussion](https://core.trac.wordpress.org/ticket/24251)\n\n## Features\n\n- ✅ **SVG Upload Support** — Enables `.svg` uploads in the WordPress media library\n- 🔒 **Security-First Validation** — Detects and rejects SVG files containing potentially harmful content\n- 🖼️ **Media Library Integration** — SVGs display inline like standard images\n- 🧩 **Zero Dependencies** — No external libraries or frameworks\n- ⚙️ **Zero Configuration** — No settings or admin bloat\n\n## Requirements\n\n- PHP 8.2 or higher\n- WordPress 5.9 or higher\n\n## Installation\n\n### via Composer\n\n```bash\ncomposer require roots/allow-svg\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eInstall as a mu-plugin\u003c/summary\u003e\n\nIf you are using [Bedrock](https://roots.io/bedrock/), you can install this as a must-use plugin by modifying your `composer.json` to install the package to the `mu-plugins` directory.\n\n```json\n{\n    \"extra\": {\n        \"installer-paths\": {\n            \"web/app/mu-plugins/{$name}/\": [\n                \"type:wordpress-muplugin\",\n                \"roots/allow-svg\"\n            ]\n        }\n    }\n}\n```\n\n\u003c/details\u003e\n\n### Manual\n\n1. Download `allow-svg.php`\n2. Place in `wp-content/plugins/allow-svg/`\n3. Activate via wp-admin or WP-CLI\n\n## Usage\n\nOnce activated, the plugin automatically:\n\n1. Enables SVG uploads through the Media Library or block editor\n2. Performs strict validation on all SVG files\n3. Rejects malicious files with clear error messages\n4. Accepts clean, standards-compliant SVGs as-is\n\nNo configuration required.\n\n## Security\n\nThis plugin uses a **deny-first approach**: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.\n\n### Accepts:\n\n- Basic SVG shapes, paths, text, and inline styles\n- ViewBox and standard attributes\n\n### Rejects:\n\n- `\u003cscript\u003e` tags or inline JavaScript\n- Event handlers like `onclick`, `onload`, etc.\n- External references (`href`, `xlink:href`, `iframe`, `object`, `embed`)\n- CSS expressions and `@import` rules\n- Data URLs containing script or HTML content\n\n### XML Hardening:\n\n- **XXE Protection** — Blocks `\u003c!DOCTYPE\u003e` and external entity declarations\n- **Entity Expansion Limits** — Rejects suspicious `\u0026entity;` usage\n- Uses `DOMDocument` with external entities disabled\n\n## Sponsors\n\nAllow SVG is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, [please consider sponsoring us](https://github.com/sponsors/roots).\n\n## Support\n\n- GitHub Issues: https://github.com/roots/allow-svg/issues\n- Roots Discourse: https://discourse.roots.io/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froots%2Fallow-svg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Froots%2Fallow-svg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froots%2Fallow-svg/lists"}