SVG images and Wordpress
- Started
- Last post
- 5 Responses
- PonyBoy0
SVG files are awesome if you want clean crisp sharp scalable vectors (looks amazing on retina)... makes creating responsive graphics a snap (logos look perfect etc).
The security risk is pretty much non-existent if your site is maintained by you / the client... people you know / trust.
The time to worry is if you allow people to post / upload to your site (think blog comments that allow images). SVG isn't really the prob, it's the fact that it's wrapped in XML. This means you can create some evil shit if you really wanted to... stuff that could interact w/just about any script on a page(JS to Flash)... stuff that could send your server into conniption-mode (send a script into a RAM-eating loop and your server locks right up etc... look up the “Billion Laughs” attack if you feel nerdy). Then there's fun 'XML External Entity Attacks' that can literally work their way through your complete site right into your root folders... files you didn't even know you had on your server (or that you're not supposed to touch) become vulnerable...
...but this is ONLY if you allow people to upload to your site!
SVG is your friend if your site is just for display.
SVG files are being used in some nasty Ransomware right now. Hacker twats will send the SVGs with evil XML embedded as a ZIP file to various email accounts at target companies. The company employee opens the email, unzipps the ZIP like an idiot and it's on!
- thanks for this info!vaxorcist
- whoah. thank you!bklyndroobeki
- :)PonyBoy
- bklyndroobeki0
Any background as to why it's this way in the first place?
Could I be putting a client in danger of security issues?- I don't know, but as SVG presents some additional security risks and being that so few people will ever use SVG, it would make sense to make it optional.nb
- and not bother using SVG at all as it really isn't necessary.fadein11
- It seems any additional risks would be a bigger risk to Wordpress than it would be to your client. But I'm just going off logic, I don't actually know.nb
- https://security.sta…sted
- nb0
- oh man, thanks http://i1.kym-cdn.co…bklyndroobeki
- " This plugin allows your to easily use them on your site"moldero
- therroys0
Have the same issue here. I am using the WordPress based theme from http://www.templatemonster.com/w… for my local nightlife review blog and trying to put an SVG image into a post, but I can't upload it. The warning says "this file type is not permitted for security reasons". Isn't it just an image format? How can I overcome this? Maybe adding some lines of code into my theme's .php files would help?
- goto 'plugins' in WP and search for a SVG plugin. I use 'SVG Support' (search that specifically if you just want WP to install it-else grab it here:PonyBoy
- http://benbodhi.com/…PonyBoy
- sted0
here u go:
http://bfy.tw/4ix9