roots/allow-svg

WordPress plugin to enable SVG uploads

Maintainers

Package info

github.com/roots/allow-svg

Type:wordpress-plugin

pkg:composer/roots/allow-svg

Fund package maintenance!

roots

Statistics

Installs: 22 099

Dependents: 0

Suggesters: 0

Stars: 39

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.1 2025-08-12 23:22 UTC

Requires

  • php: ^8.2

Requires (Dev)

MIT 036f724c7dd5493f9a63a71d87d90757b5cbb55b

This package is auto-updated.

Last update: 2026-03-21 17:37:08 UTC

README

Packagist Downloads Build Status Follow Roots Sponsor Roots

A WordPress plugin that enables SVG uploads with validation to block malicious files.

WordPress still lacks native SVG support after 12+ years of discussion

Support us

Roots is an independent open source org, supported only by developers like you. Your sponsorship funds WP Packages and the entire Roots ecosystem, and keeps them independent. Support us by purchasing Radicle or sponsoring us on GitHub — sponsors get access to our private Discord.

Features

  • SVG Upload Support — Enables .svg uploads in the WordPress media library
  • 🔒 Security-First Validation — Detects and rejects SVG files containing potentially harmful content
  • 🖼️ Media Library Integration — SVGs display inline like standard images
  • 🧩 Zero Dependencies — No external libraries or frameworks
  • ⚙️ Zero Configuration — No settings or admin bloat

Requirements

  • PHP 8.2 or higher
  • WordPress 5.9 or higher

Installation

via Composer

composer require roots/allow-svg
Install as a mu-plugin

If you are using Bedrock, you can install this as a must-use plugin by modifying your composer.json to install the package to the mu-plugins directory.

{
    "extra": {
        "installer-paths": {
            "web/app/mu-plugins/{$name}/": [
                "type:wordpress-muplugin",
                "roots/allow-svg"
            ]
        }
    }
}

Manual

  1. Download allow-svg.php
  2. Place in wp-content/plugins/allow-svg/
  3. Activate via wp-admin or WP-CLI

Usage

Once activated, the plugin automatically:

  1. Enables SVG uploads through the Media Library or block editor
  2. Performs strict validation on all SVG files
  3. Rejects malicious files with clear error messages
  4. Accepts clean, standards-compliant SVGs as-is

No configuration required.

Security

This plugin uses a deny-first approach: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.

Accepts:

  • Basic SVG shapes, paths, text, and inline styles
  • ViewBox and standard attributes

Rejects:

  • <script> tags or inline JavaScript
  • Event handlers like onclick, onload, etc.
  • External references (href, xlink:href, iframe, object, embed)
  • CSS expressions and @import rules
  • Data URLs containing script or HTML content

XML Hardening:

  • XXE Protection — Blocks <!DOCTYPE> and external entity declarations
  • Entity Expansion Limits — Rejects suspicious &entity; usage
  • Uses DOMDocument with external entities disabled

Community

Keep track of development and community news.