roots/allow-svg

WordPress plugin to enable SVG uploads

Maintainers

Package info

github.com/roots/allow-svg

Type:wordpress-plugin

pkg:composer/roots/allow-svg

Fund package maintenance!

roots

Statistics

Installs: 20 200

Dependents: 0

Suggesters: 0

Stars: 38

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.1 2025-08-12 23:22 UTC

Requires

  • php: ^8.2

Requires (Dev)

MIT 036f724c7dd5493f9a63a71d87d90757b5cbb55b

This package is auto-updated.

Last update: 2026-03-10 02:11:46 UTC

README

Packagist Downloads Build Status Follow Roots Sponsor Roots

A WordPress plugin that enables SVG uploads with validation to block malicious files.

WordPress still lacks native SVG support after 12+ years of discussion

Support us

We're dedicated to pushing modern WordPress development forward through our open source projects, and we need your support to keep building. You can support our work by purchasing Radicle, our recommended WordPress stack, or by sponsoring us on GitHub. Every contribution directly helps us create better tools for the WordPress ecosystem.

Features

  • SVG Upload Support — Enables .svg uploads in the WordPress media library
  • 🔒 Security-First Validation — Detects and rejects SVG files containing potentially harmful content
  • 🖼️ Media Library Integration — SVGs display inline like standard images
  • 🧩 Zero Dependencies — No external libraries or frameworks
  • ⚙️ Zero Configuration — No settings or admin bloat

Requirements

  • PHP 8.2 or higher
  • WordPress 5.9 or higher

Installation

via Composer

composer require roots/allow-svg
Install as a mu-plugin

If you are using Bedrock, you can install this as a must-use plugin by modifying your composer.json to install the package to the mu-plugins directory.

{
    "extra": {
        "installer-paths": {
            "web/app/mu-plugins/{$name}/": [
                "type:wordpress-muplugin",
                "roots/allow-svg"
            ]
        }
    }
}

Manual

  1. Download allow-svg.php
  2. Place in wp-content/plugins/allow-svg/
  3. Activate via wp-admin or WP-CLI

Usage

Once activated, the plugin automatically:

  1. Enables SVG uploads through the Media Library or block editor
  2. Performs strict validation on all SVG files
  3. Rejects malicious files with clear error messages
  4. Accepts clean, standards-compliant SVGs as-is

No configuration required.

Security

This plugin uses a deny-first approach: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.

Accepts:

  • Basic SVG shapes, paths, text, and inline styles
  • ViewBox and standard attributes

Rejects:

  • <script> tags or inline JavaScript
  • Event handlers like onclick, onload, etc.
  • External references (href, xlink:href, iframe, object, embed)
  • CSS expressions and @import rules
  • Data URLs containing script or HTML content

XML Hardening:

  • XXE Protection — Blocks <!DOCTYPE> and external entity declarations
  • Entity Expansion Limits — Rejects suspicious &entity; usage
  • Uses DOMDocument with external entities disabled

Community

Keep track of development and community news.