Composer
首页 包列表 提交包 常见问题 关于

承接 roots/allow-svg 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

roots/allow-svg

最新稳定版本:v1.0.1

Composer 安装命令:

composer require roots/allow-svg

包简介

WordPress plugin to enable SVG uploads

README 文档

README

Packagist Downloads Build Status Follow roots.io on Bluesky

Allow SVG

A WordPress plugin that enables SVG uploads with validation to block malicious files.

WordPress still lacks native SVG support after 12+ years of discussion

Features

  • SVG Upload Support — Enables .svg uploads in the WordPress media library
  • 🔒 Security-First Validation — Detects and rejects SVG files containing potentially harmful content
  • 🖼️ Media Library Integration — SVGs display inline like standard images
  • 🧩 Zero Dependencies — No external libraries or frameworks
  • ⚙️ Zero Configuration — No settings or admin bloat

Requirements

  • PHP 8.2 or higher
  • WordPress 5.9 or higher

Installation

via Composer

composer require roots/allow-svg
Install as a mu-plugin

If you are using Bedrock, you can install this as a must-use plugin by modifying your composer.json to install the package to the mu-plugins directory.

{
    "extra": {
        "installer-paths": {
            "web/app/mu-plugins/{$name}/": [
                "type:wordpress-muplugin",
                "roots/allow-svg"
            ]
        }
    }
}

Manual

  1. Download allow-svg.php
  2. Place in wp-content/plugins/allow-svg/
  3. Activate via wp-admin or WP-CLI

Usage

Once activated, the plugin automatically:

  1. Enables SVG uploads through the Media Library or block editor
  2. Performs strict validation on all SVG files
  3. Rejects malicious files with clear error messages
  4. Accepts clean, standards-compliant SVGs as-is

No configuration required.

Security

This plugin uses a deny-first approach: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.

Accepts:

  • Basic SVG shapes, paths, text, and inline styles
  • ViewBox and standard attributes

Rejects:

  • <script> tags or inline JavaScript
  • Event handlers like onclick, onload, etc.
  • External references (href, xlink:href, iframe, object, embed)
  • CSS expressions and @import rules
  • Data URLs containing script or HTML content

XML Hardening:

  • XXE Protection — Blocks <!DOCTYPE> and external entity declarations
  • Entity Expansion Limits — Rejects suspicious &entity; usage
  • Uses DOMDocument with external entities disabled

Sponsors

Allow SVG is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider sponsoring us.

Support

统计信息

  • 总下载量: 9.82k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 36
  • 点击次数: 1
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 36
  • Watchers: 3
  • Forks: 1
  • 开发语言: PHP
访问仓库

其他信息

  • 授权协议: MIT
  • 更新时间: 2025-07-31