roots / allow-svg
WordPress plugin to enable SVG uploads
Fund package maintenance!
roots
Installs: 25
Dependents: 0
Suggesters: 0
Security: 0
Stars: 2
Watchers: 0
Forks: 0
Open Issues: 0
Type:wordpress-plugin
Requires
- php: ^8.2
Requires (Dev)
- laravel/pint: ^1.24
- phpunit/phpunit: ^11.0
- yoast/phpunit-polyfills: ^4.0
README
Allow SVG
A WordPress plugin that enables SVG uploads with validation to block malicious files.
WordPress still lacks native SVG support after 12+ years of discussion
Features
- ✅ SVG Upload Support — Enables
.svg
uploads in the WordPress media library - 🔒 Security-First Validation — Detects and rejects SVG files containing potentially harmful content
- 🖼️ Media Library Integration — SVGs display inline like standard images
- 🧩 Zero Dependencies — No external libraries or frameworks
- ⚙️ Zero Configuration — No settings or admin bloat
Requirements
- PHP 8.2 or higher
- WordPress 5.9 or higher
Installation
via Composer
composer require roots/allow-svg
Install as a mu-plugin
If you are using Bedrock, you can install this as a must-use plugin by modifying your composer.json
to install the package to the mu-plugins
directory.
{ "extra": { "installer-paths": { "web/app/mu-plugins/{$name}/": [ "type:wordpress-muplugin", "roots/allow-svg" ] } } }
Manual
- Download
allow-svg.php
- Place in
wp-content/plugins/allow-svg/
- Activate via wp-admin or WP-CLI
Usage
Once activated, the plugin automatically:
- Enables SVG uploads through the Media Library or block editor
- Performs strict validation on all SVG files
- Rejects malicious files with clear error messages
- Accepts clean, standards-compliant SVGs as-is
No configuration required.
Security
This plugin uses a deny-first approach: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.
Accepts:
- Basic SVG shapes, paths, text, and inline styles
- ViewBox and standard attributes
Rejects:
<script>
tags or inline JavaScript- Event handlers like
onclick
,onload
, etc. - External references (
href
,xlink:href
,iframe
,object
,embed
) - CSS expressions and
@import
rules - Data URLs containing script or HTML content
XML Hardening:
- XXE Protection — Blocks
<!DOCTYPE>
and external entity declarations - Entity Expansion Limits — Rejects suspicious
&entity;
usage - Uses
DOMDocument
with external entities disabled
Sponsors
Allow SVG is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider sponsoring us.
Support
- GitHub Issues: https://github.com/roots/allow-svg/issues
- Roots Discourse: https://discourse.roots.io/