Allow SVG image uploads in WordPress

Updated on July 19, 2018

SVG an XML-based vector image which is commonly used in websites to display logos and icons. They are popular among developers and designers, because of its scalablility, smaller in file size and don’t pixelate on retina screens. By default, WordPress doesn’t allow you to upload the SVG file format due to security concerns. SVG being an XML file, it is know for exposing different vulnerabilities such as XML external entity attacks (XXE), bomb nested entities and XSS attacks of which normal image formats aren’t affected. Here we shall see how to safely enable WordPress SVG support.

You would have seen in the internet, many suggesting this method. Without this code, SVG files will be rejected when attempting to upload them through the media uploader.

Open your theme’s functions.php file, add the below code:

function cc_mime_types($mimes) {
 $mimes['svg'] = 'image/svg+xml';
 return $mimes;
add_filter('upload_mimes', 'cc_mime_types');

Although it serves our purpose of uploading SVG files, this is not a safe way! Because the SVGs need to be sanitized. It means cleaning the code or input to avoid security issues (such as code injection), code conflicts and errors. Also restrict SVG uploads to only administrators, as you will have no idea what kind of SVG images someone else might upload, exposing your website.

Safely Enable WordPress SVG Support

A popular plugin by Daryll also known as Safe SVG which utilizes the SVG Sanitized library (developed by himself) upon uploading SVG images to your WordPress media library. This plugin helps you to view SVGs like normal images in the media library.

Download, install and activate the plugin. There are no settings for this plugin. It will simply sanitize all your SVGs upon upload! And good thing about this plugin is, it is also view-able like normal images from the media library too!

Use SVGs responsibly.

Was this article helpful?

Related Articles

Leave a Comment