PHPackages                             darylldoyle/safe-svg - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Image &amp; Media](/categories/media)
4. /
5. darylldoyle/safe-svg

ActiveWordpress-plugin[Image &amp; Media](/categories/media)

darylldoyle/safe-svg
====================

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website

2.4.0(9mo ago)335311.4k↓26%38[27 issues](https://github.com/10up/safe-svg/issues)[2 PRs](https://github.com/10up/safe-svg/pulls)2GPL-2.0-or-laterPHPPHP &gt;=7.4CI passing

Since Aug 21Pushed 1w ago46 watchersCompare

[ Source](https://github.com/10up/safe-svg)[ Packagist](https://packagist.org/packages/darylldoyle/safe-svg)[ Docs](https://github.com/10up/safe-svg)[ RSS](/packages/darylldoyle-safe-svg/feed)WikiDiscussions develop Synced 3d ago

READMEChangelog (10)Dependencies (4)Versions (29)Used By (2)Security (1)

Safe SVG
========

[](#safe-svg)

[![Safe SVG](https://github.com/10up/safe-svg/raw/develop/.wordpress-org/banner-1544x500.png)](https://github.com/10up/safe-svg/blob/develop/.wordpress-org/banner-1544x500.png)

[![Support Level](https://camo.githubusercontent.com/570a8b870e3b5e0c1805b8701b5f304aa1cf440e74807b255a4c4339af8df5f1/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f737570706f72742d737461626c652d626c75652e737667)](#support-level) [![Required PHP Version](https://camo.githubusercontent.com/f9031e7d6b7867238c4e5d346e3bed02289f7be4a1b9e0ff6f2fc146ba27f589/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f72657175697265642d7068702f736166652d7376673f6c6162656c3d5265717569726573253230504850)](https://camo.githubusercontent.com/f9031e7d6b7867238c4e5d346e3bed02289f7be4a1b9e0ff6f2fc146ba27f589/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f72657175697265642d7068702f736166652d7376673f6c6162656c3d5265717569726573253230504850) [![Required WP Version](https://camo.githubusercontent.com/ef78a14db1de9bb7ece5fb82589f8c3abf100794c1c08282795c7e64284fe64e/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f77702d76657273696f6e2f736166652d7376673f6c6162656c3d5265717569726573253230576f72645072657373)](https://camo.githubusercontent.com/ef78a14db1de9bb7ece5fb82589f8c3abf100794c1c08282795c7e64284fe64e/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f77702d76657273696f6e2f736166652d7376673f6c6162656c3d5265717569726573253230576f72645072657373) [![WordPress tested up to version](https://camo.githubusercontent.com/ecb3a84bed2f1efc33e7c5e434638fa08e9d8f001f3008f7d33e87298cc7bdfb/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f7465737465642f736166652d7376673f6c6162656c3d576f72645072657373)](https://camo.githubusercontent.com/ecb3a84bed2f1efc33e7c5e434638fa08e9d8f001f3008f7d33e87298cc7bdfb/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f7465737465642f736166652d7376673f6c6162656c3d576f72645072657373) [![GPL-2.0-or-later License](https://camo.githubusercontent.com/a4ac9f398fe812d74243e74fd44d6ffe33340920a625f629a8f4ec56cba47032/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f313075702f736166652d7376672e737667)](https://github.com/10up/safe-svg/blob/develop/LICENSE.md) [![Dependency Review](https://github.com/10up/safe-svg/actions/workflows/dependency-review.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/dependency-review.yml) [![E2E test](https://github.com/10up/safe-svg/actions/workflows/cypress.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/cypress.yml) [![PHP Compatibility](https://github.com/10up/safe-svg/actions/workflows/php-compatibility.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/php-compatibility.yml) [![PHPCS](https://github.com/10up/safe-svg/actions/workflows/phpcs.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/phpcs.yml) [![PHPUnit](https://github.com/10up/safe-svg/actions/workflows/phpunit.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/phpunit.yml) [![CodeQL](https://github.com/10up/safe-svg/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/github-code-scanning/codeql) [![WordPress Playground Demo](https://camo.githubusercontent.com/a106ca0445a423982261f537f7fdec8999820ea0f6e366c69c9ff895b49c5511/68747470733a2f2f696d672e736869656c64732e696f2f776f726470726573732f706c7567696e2f762f736166652d7376673f6c6f676f3d776f72647072657373266c6f676f436f6c6f723d464646464646266c6162656c3d506c617967726f756e6425323044656d6f266c6162656c436f6c6f723d33383538453926636f6c6f723d333835384539)](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/10up/safe-svg/update/badges/.wordpress-org/blueprints/blueprint.json)

> Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

Overview
--------

[](#overview)

Safe SVG is the best way to Allow SVG Uploads in WordPress!

It gives you the ability to allow SVG uploads whilst making sure that they're sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.

### Current Features

[](#current-features)

- **Sanitised SVGs** - Don't open up security holes in your WordPress site by allowing uploads of unsanitised files.
- **SVGO Optimisation** - Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code: `add_filter( 'safe_svg_optimizer_enabled', '__return_true' );`
- **View SVGs in the Media Library** - Gone are the days of guessing which SVG is the correct one, we'll enable SVG previews in the WordPress media library.
- **Choose Who Can Upload** - Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.

Initially a proof of concept for [\#24251](https://core.trac.wordpress.org/ticket/24251).

SVG Sanitization is done through the following library: .

SVG Optimization is done through the following library: .

### Technical: Upload Path Security

[](#technical-upload-path-security)

WordPress’s `_wp_handle_upload( $file, $action )` function allows any `$action` value, which determines the filter hook name: `{$action}_prefilter`. Safe SVG hooks common actions like `wp_handle_upload` and `wp_handle_sideload`, but cannot hook arbitrary custom actions defined by third-party code. Since upload actions are unbounded and MIME allowances are global, we cannot guarantee sanitization coverage across all possible upload paths.

Requirements
------------

[](#requirements)

- PHP 7.4+
- [WordPress](http://wordpress.org/) 6.6+

Installation
------------

[](#installation)

Install through the WordPress directory or download, unzip and upload the files to your `/wp-content/plugins/` directory.

Frequently Asked Questions
--------------------------

[](#frequently-asked-questions)

### Can we change the allowed attributes and tags?

[](#can-we-change-the-allowed-attributes-and-tags)

Yes, this can be done using the `svg_allowed_attributes` and `svg_allowed_tags` filters. They take one argument that must be returned. See below for examples:

```
add_filter( 'svg_allowed_attributes', function ( $attributes ) {

    // Do what you want here...

    // This should return an array so add your attributes to
    // to the $attributes array before returning it. E.G.

    $attributes[] = 'target'; // This would allow the target="" attribute.

    return $attributes;
} );

add_filter( 'svg_allowed_tags', function ( $tags ) {

    // Do what you want here...

    // This should return an array so add your tags to
    // to the $tags array before returning it. E.G.

    $tags[] = 'use'; // This would allow the  element.

    return $tags;
} );
```

### Why doesn't Safe SVG globally enable SVG uploads?

[](#why-doesnt-safe-svg-globally-enable-svg-uploads)

Safe SVG only allows SVGs through upload paths it can actively sanitize. While most WordPress uploads use standard functions like `wp_handle_upload()` (which Safe SVG hooks), plugins and themes can create custom upload paths by calling WordPress's underlying `_wp_handle_upload()` function with arbitrary action parameters.

Globally enabling the `image/svg+xml` MIME type would allow SVGs through all upload paths—including custom ones Safe SVG cannot intercept and sanitize. This would create security vulnerabilities where unsanitized SVGs containing malicious scripts could be uploaded.

This is a deliberate design decision: Safe SVG prioritizes guaranteed sanitization over broad compatibility. SVGs are only allowed when we can ensure they're safe.

### Where do I report security bugs found in this plugin?

[](#where-do-i-report-security-bugs-found-in-this-plugin)

Please report security bugs found in the source code of the Safe SVG plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/9e5fb4ed-587a-4ada-8dc3-a5b7362c0501). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.

Support Level
-------------

[](#support-level)

**Stable:** 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.

Changelog
---------

[](#changelog)

A complete listing of all notable changes to Safe SVG are documented in [CHANGELOG.md](CHANGELOG.md).

Contributing
------------

[](#contributing)

Please read [CODE\_OF\_CONDUCT.md](CODE_OF_CONDUCT.md) for details on our code of conduct, [CONTRIBUTING.md](CONTRIBUTING.md) for details on the process for submitting pull requests to us, and [CREDITS.md](CREDITS.md) for a listing of maintainers of, contributors to, and libraries used by Safe SVG.

Like what you see?
------------------

[](#like-what-you-see)

[![Work with the 10up WordPress Practice at Fueled](https://github.com/10up/.github/raw/trunk/profile/10up-github-banner.jpg)](http://10up.com/contact/)

###  Health Score

63

—

FairBetter than 99% of packages

Maintenance78

Regular maintenance activity

Popularity55

Moderate usage in the ecosystem

Community39

Small or concentrated contributor base

Maturity69

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~92 days

Recently: every ~75 days

Total

25

Last Release

285d ago

Major Versions

1.9.10 → 2.0.02022-04-06

PHP version history (3 changes)1.9.4PHP ^5.6 || ^7.0

1.9.10PHP &gt;=7.0

2.1.0PHP &gt;=7.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/9c4f608be1318c7ca580fff7a037a860abe60a9886a8d12c44be2013c9e20901?d=identicon)[darylldoyle](/maintainers/darylldoyle)

![](https://avatars.githubusercontent.com/u/3358927?v=4)[10up](/maintainers/10up)[@10up](https://github.com/10up)

---

Top Contributors

[![dkotter](https://avatars.githubusercontent.com/u/916738?v=4)](https://github.com/dkotter "dkotter (220 commits)")[![jeffpaul](https://avatars.githubusercontent.com/u/2818133?v=4)](https://github.com/jeffpaul "jeffpaul (177 commits)")[![iamdharmesh](https://avatars.githubusercontent.com/u/10613171?v=4)](https://github.com/iamdharmesh "iamdharmesh (51 commits)")[![faisal-alvi](https://avatars.githubusercontent.com/u/25176325?v=4)](https://github.com/faisal-alvi "faisal-alvi (45 commits)")[![darylldoyle](https://avatars.githubusercontent.com/u/968731?v=4)](https://github.com/darylldoyle "darylldoyle (43 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (42 commits)")[![peterwilsoncc](https://avatars.githubusercontent.com/u/519727?v=4)](https://github.com/peterwilsoncc "peterwilsoncc (27 commits)")[![gsarig](https://avatars.githubusercontent.com/u/5892287?v=4)](https://github.com/gsarig "gsarig (22 commits)")[![Sidsector9](https://avatars.githubusercontent.com/u/17757960?v=4)](https://github.com/Sidsector9 "Sidsector9 (18 commits)")[![csloisel](https://avatars.githubusercontent.com/u/672045?v=4)](https://github.com/csloisel "csloisel (13 commits)")[![jayedul](https://avatars.githubusercontent.com/u/12506700?v=4)](https://github.com/jayedul "jayedul (12 commits)")[![sksaju](https://avatars.githubusercontent.com/u/11072036?v=4)](https://github.com/sksaju "sksaju (9 commits)")[![ravinderk](https://avatars.githubusercontent.com/u/1784821?v=4)](https://github.com/ravinderk "ravinderk (8 commits)")[![gabriel-glo](https://avatars.githubusercontent.com/u/41635034?v=4)](https://github.com/gabriel-glo "gabriel-glo (8 commits)")[![kirtangajjar](https://avatars.githubusercontent.com/u/8456197?v=4)](https://github.com/kirtangajjar "kirtangajjar (7 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (7 commits)")[![bmarshall511](https://avatars.githubusercontent.com/u/1920159?v=4)](https://github.com/bmarshall511 "bmarshall511 (6 commits)")[![s3rgiosan](https://avatars.githubusercontent.com/u/499982?v=4)](https://github.com/s3rgiosan "s3rgiosan (6 commits)")[![TylerB24890](https://avatars.githubusercontent.com/u/1687128?v=4)](https://github.com/TylerB24890 "TylerB24890 (6 commits)")[![mehidi258](https://avatars.githubusercontent.com/u/34313754?v=4)](https://github.com/mehidi258 "mehidi258 (4 commits)")

---

Tags

filegraphichacktoberfestimagemediamimesanitizesecuritysvgsvg-uploaduploadvectorwordpress

### Embed Badge

![Health badge](/badges/darylldoyle-safe-svg/health.svg)

```
[![Health](https://phpackages.com/badges/darylldoyle-safe-svg/health.svg)](https://phpackages.com/packages/darylldoyle-safe-svg)
```

###  Alternatives

[craftcms/cms

Craft CMS

3.6k3.6M3.1k](/packages/craftcms-cms)[bagisto/bagisto

Bagisto Laravel E-Commerce

27.6k172.1k9](/packages/bagisto-bagisto)[helsingborg-stad/municipio

A bootstrap theme for creating municipality sites.

4028.5k10](/packages/helsingborg-stad-municipio)[unopim/unopim

UnoPim Laravel PIM

10.5k2.4k](/packages/unopim-unopim)[aimeos/aimeos-core

Full-featured e-commerce components for high performance online shops

4.5k361.1k75](/packages/aimeos-aimeos-core)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
