Skip to content

Add global mime upload notes to readmes#302

Merged
dkotter merged 1 commit intodevelopfrom
add/faq
Jan 29, 2026
Merged

Add global mime upload notes to readmes#302
dkotter merged 1 commit intodevelopfrom
add/faq

Conversation

@jeffpaul
Copy link
Copy Markdown
Member

Description of the Change

This pull request updates the documentation in both README.md and readme.txt to clarify the security considerations around SVG upload handling in WordPress. The new sections explain why Safe SVG does not globally enable SVG uploads and detail the limitations imposed by WordPress’s upload API, emphasizing the plugin’s focus on security over broad compatibility.

Documentation updates regarding SVG upload security:

  • Added a "Technical: Upload Path Security" section to both README.md and readme.txt, explaining that WordPress’s _wp_handle_upload() function allows arbitrary actions, making it impossible for Safe SVG to guarantee sanitization across all upload paths. [1] [2]
  • Added a "Why doesn't Safe SVG globally enable SVG uploads?" section to both documentation files, describing the risks of globally enabling SVG uploads and reinforcing the plugin’s design decision to only allow SVGs through upload paths it can actively sanitize. [1] [2]

Relates to #286, #296.

How to test the Change

Changelog Entry

Developer - Added docs on recommendation against globally enabling SVG MIME types.

Credits

Props @darylldoyle, @jeffpaul.

Checklist:

@jeffpaul jeffpaul added this to the 2.5.0 milestone Jan 29, 2026
@jeffpaul jeffpaul requested a review from darylldoyle January 29, 2026 19:20
@jeffpaul jeffpaul self-assigned this Jan 29, 2026
@github-actions github-actions Bot removed the request for review from darylldoyle January 29, 2026 19:20
@jeffpaul jeffpaul requested a review from darylldoyle January 29, 2026 19:21
@jeffpaul jeffpaul marked this pull request as ready for review January 29, 2026 19:21
@jeffpaul jeffpaul requested a review from dkotter as a code owner January 29, 2026 19:21
@github-actions github-actions Bot added the needs:code-review This requires code review. label Jan 29, 2026
@dkotter dkotter merged commit 86fed01 into develop Jan 29, 2026
16 checks passed
@dkotter dkotter deleted the add/faq branch January 29, 2026 20:57
@github-project-automation github-project-automation Bot moved this from QA Testing to Done in Open Source Practice Jan 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs:code-review This requires code review.

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

3 participants