roots/allow-svg

WordPress plugin to enable SVG uploads

Fund package maintenance!
roots

Installs: 25

Dependents: 0

Suggesters: 0

Security: 0

Stars: 2

Watchers: 0

Forks: 0

Open Issues: 0

Type:wordpress-plugin

v1.0.0 2025-07-27 16:10 UTC

This package is auto-updated.

Last update: 2025-07-31 13:51:32 UTC


README

Packagist Downloads Build Status Follow roots.io on Bluesky

Allow SVG

A WordPress plugin that enables SVG uploads with validation to block malicious files.

WordPress still lacks native SVG support after 12+ years of discussion

Features

  • SVG Upload Support — Enables .svg uploads in the WordPress media library
  • 🔒 Security-First Validation — Detects and rejects SVG files containing potentially harmful content
  • 🖼️ Media Library Integration — SVGs display inline like standard images
  • 🧩 Zero Dependencies — No external libraries or frameworks
  • ⚙️ Zero Configuration — No settings or admin bloat

Requirements

  • PHP 8.2 or higher
  • WordPress 5.9 or higher

Installation

via Composer

composer require roots/allow-svg
Install as a mu-plugin

If you are using Bedrock, you can install this as a must-use plugin by modifying your composer.json to install the package to the mu-plugins directory.

{
    "extra": {
        "installer-paths": {
            "web/app/mu-plugins/{$name}/": [
                "type:wordpress-muplugin",
                "roots/allow-svg"
            ]
        }
    }
}

Manual

  1. Download allow-svg.php
  2. Place in wp-content/plugins/allow-svg/
  3. Activate via wp-admin or WP-CLI

Usage

Once activated, the plugin automatically:

  1. Enables SVG uploads through the Media Library or block editor
  2. Performs strict validation on all SVG files
  3. Rejects malicious files with clear error messages
  4. Accepts clean, standards-compliant SVGs as-is

No configuration required.

Security

This plugin uses a deny-first approach: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.

Accepts:

  • Basic SVG shapes, paths, text, and inline styles
  • ViewBox and standard attributes

Rejects:

  • <script> tags or inline JavaScript
  • Event handlers like onclick, onload, etc.
  • External references (href, xlink:href, iframe, object, embed)
  • CSS expressions and @import rules
  • Data URLs containing script or HTML content

XML Hardening:

  • XXE Protection — Blocks <!DOCTYPE> and external entity declarations
  • Entity Expansion Limits — Rejects suspicious &entity; usage
  • Uses DOMDocument with external entities disabled

Sponsors

Allow SVG is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider sponsoring us.

Support