Daryll Doyle

Hi @delaitec,

I’m sorry to hear that you’re having issues.

I’ve looked into the error and it seems to be coming from the fact that some of your SVGs are missing the height and width from the metadata.

Did you upload these quite a while ago? If so, can I ask that you try to re-upload one and replace old for new? I have a feeling this will fix it. I will also try and find the time to look for a backported fix for this issue.

Cheers,
Daryll

Hi @sparkedinnovations,

Safe SVG doesn’t actually output any scripts on the front end of the site, so the JS error will be with another plugin, likey Autoptimize. I would suggest opening an issue with them.

If you were using an SVG in the gallery when this issue was occurring, then I’d imagine that something in the gallery isn’t liking loading the SVG. (SVG’s are not actually an image in the way png and jpg’s are. But they can be used as an image). Again, I would suggest opening an issue with the gallery plugin if Autoptimize can’t fix it and ask them to check their compatibility with SVG images.

Sorry that I can’t be much more help.

Cheers,
Daryll

Hi @bruce81,

The SVGO optimisation only happens on the Pro version of this plugin, available from https://wpsvg.com.

It works by hooking into the upload filter and running the SVG through and SVGO server after sanitisation. There’s nothing to do to get it working as it happens automatically on upload. Again, this is just the Pro version though.

If you wanted to implement something like this yourself, I would suggest looking at hooking into the wp_handle_upload_prefilter filter with a priority of 11+ as this way you’ll know it’s after sanitisation.

Regards,
Daryll

Hi @yggydrasil,

I’ve just updated the readme with better documentation of how to use these filters. Basically, it has to return an array and therefore as long as you return an array, there will be no issue.

add_filter( 'svg_allowed_attributes', function ( $attributes ) {

    // Do what you want here...

    // This should return an array so add your attributes to
    // to the $attributes array before returning it. E.G.

    $attributes[] = 'target'; // This would allow the target="" attribute.

    return $attributes;
} );

This will enable your target attribute.

In regards to the disallowed tags, that’s not something I keep track of, outside of the sanitiser repository and my local notes. If you’d like to see the allowed tags, feel free to dive into the code where you’ll find them.

Regards,
Daryll

• This reply was modified 5 years, 3 months ago by Daryll Doyle.

Hi @you456 Sorry for the delay, I completely missed this ticket. Looking at it now, if you were uploading an animated SVG, this was probably the issue. The <animation> etc. elements can be used as a way to cause an XSS vulnerability if abused and therefore the sanitiser will remove them.

@jordanwebdev, It’s hard to say without seeing the SVG. Do you have a copy of it somewhere that you can send to me? [email protected] is the best way!

Hi @kbi_user,

You may be correct, lazyloading may be the issue here, but I can’t be 100% on that.

Ultimately Safe SVG will try and attempt to pull the width and height from the SVG content or viewbox. If it can’t do this, it’ll fall back to 1px, which it’s not doing.

I definitely would suggest reaching out to Theme Fusion as it does seem to be something that’s happening that side and I’ll also try and get back in touch/test it my end to see if I can see any issues.

Hi @kbi_user,

I haven’t tested the two together personally, this is coming from Theme Forest’s team.

From what I can see in your screenshot, the image’s aren’t showing at your desired size when Safe SVG is turned on? The only thing that could be causing this is that Safe SVG will read the size of the image in this function and output the height/width in the image tag. This stops issues with themes not having SVG support and therefore SVGs having a width of 0px and essentially not appearing.

Ultimately, this inline width will be being pulled from the uploaded SVG files so in my eyes, the options would be:

1. Update the SVGs to have the correct image sizes/viewbox as it should be on the site.
2. Overwrite the inline styles using CSS and set the styles that way to appear back to the desired size.

Unfortunately, as this is ultimately an issue with a specific theme, I can’t justify removing the code from Safe SVG, as others are relying on it. Therefore, I’m closing this issue and would suggest that you either try one of the above solutions or reach out to the Theme Forest support team and ask them to help you find a solution.

Cheers,
Daryll

Hi @kbi_user,

I’ve now spoken to Mark @ Theme Fusion, he’s tested Safe SVG with Avada and found no compatibility issues. He did mention that there’s a minor adjustment rolling out in the next version that will make the height/width work a bit better but other than that all was OK.

I’m sorry I can’t be more help with this issue. Do you have many more plugins that are running on the site? It’s possible that one of the others may be conflicting.

Closing due to lack of response.

Closing Due to lack of response

Hi @kbi_user,

I’m sorry to hear you’re having issues with SafeSVG and Avada. I’ve reached out to ThemeFusion about this and hopefully, we can work together to find a fix for you. I’ll keep you updated!

Hi @hasse2016,

<animate> is indeed classed as a security threat. In terms of being uploaded by an admin, this is pretty subjective as an admin user may know loads about SVG security or they may not know it’s an issue at all. Therefore we sanitise for all users the same.

If you’d like to see more about the animate element and why it’s an issue, there are a few examples available here: https://html5sec.org/#89

Mario Heiderich talks about it in this paper: https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf

I also briefly covered it in my WordCamp London talk: https://wordpress.tv/2019/01/22/daryll-doyle-securing-svg-uploads-in-wordpress/

I hope that answers some of your questions.

If you’d like to allow the element through the sanitiser, it’s worth taking a look at the FAQs for the svg_allowed_attributes and svg_allowed_tags filters as they’ll allow you to modify the whitelist on your site.

Cheers,
Daryll

Hi @supermarmota,

Thanks for trying Safe SVG and I’m sorry to hear you’re having issues with it.

By the sounds of it, something is missing from your PHP installation that the plugin relies on, more than likely the DOM module (See here).

Do you have the ability to upload new files to your server? Alternatively, who are you using to host your website?

If we can work out what’s causing the issue, it should be an easy fix ??

Regards,
Daryll

Hey @msdsl,

Thanks for reporting this issue. I’ve just pushed up a change in 1.9.4 release that should fix this. Please let me know if that does solve the issue for you.

The release should be available shortly.

Cheers,
Daryll

Hi Ruth,

Do you have any more info or some screenshots of the issue that you can share? Without seeing what the issue is, there’s not a lot I can do to help, unfortunately.

Cheers,
Daryll