No RDF metadata - Githubissues

10up / safe-svg

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

https://wordpress.org/plugins/safe-svg/

GNU General Public License v2.0

258 stars 33 forks source link

No RDF metadata #211

Open EldarAgalarov opened 1 month ago

EldarAgalarov commented 1 month ago

Describe the bug

SVG Sanitizer removes RDF metadata leaving empty <metadata></metadata> tags.

The plugin should have an option to disable the sanitizer, something like this:

add_filter( 'safe_svg_sanitizer_enabled', '__return_false' );

Steps to Reproduce

Upload any SVG file that contains RDF metadata and check.

Screenshots, screen recording, code snippet

No response

Environment information

No response

WordPress information

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

jeffpaul commented 1 month ago

In chatting with @darylldoyle on this, if you want to disable sanitizer then why even bother with the plugin (as that's the primary safeguard to ensure SVGs are... sanitized)? As such, we do not feel a filter is something we'll add here. Otherwise looking into what it would take to support RDF data seems like an option (related docs).

EldarAgalarov commented 1 month ago

@jeffpaul What if implement an additional "read-only" mode for the plugin? When user uploads SVG file the plugin checks if the SVG file are safe or not without sanitizing it and if file is safe then allow to upload it else reject file uploading. In such mode the safety also is guaranteed.

jeffpaul commented 5 days ago

Sorry, that still opens too much risk which sanitizing the SVGs and this plugin is intended to do.