10up · dkotter · Jan 29, 2026 · Jan 29, 2026
@@ -25,6 +25,10 @@ SVG Sanitization is done through the following library: [https://github.com/dary
 
 SVG Optimization is done through the following library: [https://github.com/svg/svgo](https://github.com/svg/svgo).
 
+### Technical: Upload Path Security
+
+WordPress’s `_wp_handle_upload( $file, $action )` function allows any `$action` value, which determines the filter hook name: `{$action}_prefilter`. Safe SVG hooks common actions like `wp_handle_upload` and `wp_handle_sideload`, but cannot hook arbitrary custom actions defined by third-party code. Since upload actions are unbounded and MIME allowances are global, we cannot guarantee sanitization coverage across all possible upload paths.
+
 ## Requirements
 
 * PHP 7.4+
@@ -68,6 +72,14 @@ add_filter( 'svg_allowed_tags', function ( $tags ) {
 } );
 ```
 
+### Why doesn't Safe SVG globally enable SVG uploads?
+
+Safe SVG only allows SVGs through upload paths it can actively sanitize. While most WordPress uploads use standard functions like `wp_handle_upload()` (which Safe SVG hooks), plugins and themes can create custom upload paths by calling WordPress's underlying `_wp_handle_upload()` function with arbitrary action parameters.
+
+Globally enabling the `image/svg+xml` MIME type would allow SVGs through all upload paths—including custom ones Safe SVG cannot intercept and sanitize. This would create security vulnerabilities where unsanitized SVGs containing malicious scripts could be uploaded.
+
+This is a deliberate design decision: Safe SVG prioritizes guaranteed sanitization over broad compatibility. SVGs are only allowed when we can ensure they're safe.
+
 ### Where do I report security bugs found in this plugin?
 
 Please report security bugs found in the source code of the Safe SVG plugin through the [Patchstack Vulnerability Disclosure  Program](https://patchstack.com/database/vdp/9e5fb4ed-587a-4ada-8dc3-a5b7362c0501).  The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.

@@ -27,6 +27,10 @@ SVG Sanitization is done through the following library: [https://github.com/dary
 
 SVG Optimization is done through the following library: [https://github.com/svg/svgo](https://github.com/svg/svgo).
 
+= Technical: Upload Path Security =
+
+WordPress’s `_wp_handle_upload( $file, $action )` function allows any `$action` value, which determines the filter hook name: `{$action}_prefilter`. Safe SVG hooks common actions like `wp_handle_upload` and `wp_handle_sideload`, but cannot hook arbitrary custom actions defined by third-party code. Since upload actions are unbounded and MIME allowances are global, we cannot guarantee sanitization coverage across all possible upload paths.
+
 == Installation ==
 
 Install through the WordPress directory or download, unzip and upload the files to your `/wp-content/plugins/` directory
@@ -63,6 +67,14 @@ They take one argument that must be returned. See below for examples:
         return $tags;
     } );
 
+= Why doesn't Safe SVG globally enable SVG uploads? =
+
+Safe SVG only allows SVGs through upload paths it can actively sanitize. While most WordPress uploads use standard functions like `wp_handle_upload()` (which Safe SVG hooks), plugins and themes can create custom upload paths by calling WordPress's underlying `_wp_handle_upload()` function with arbitrary action parameters.
+
+Globally enabling the `image/svg+xml` MIME type would allow SVGs through all upload paths—including custom ones Safe SVG cannot intercept and sanitize. This would create security vulnerabilities where unsanitized SVGs containing malicious scripts could be uploaded.
+
+This is a deliberate design decision: Safe SVG prioritizes guaranteed sanitization over broad compatibility. SVGs are only allowed when we can ensure they're safe.
+
 = Where do I report security bugs found in this plugin? =
 
 Please report security bugs found in the source code of the Safe SVG plugin through the [Patchstack Vulnerability Disclosure  Program](https://patchstack.com/database/vdp/9e5fb4ed-587a-4ada-8dc3-a5b7362c0501).  The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.