Upload .SVG to Magento Media Gallery

[tkacheva]

Originally recorded in MAGETWO-53778 Requires Merchant Documentation: Yes

Proposed Release Note:

This feature allows merchants to upload SVG file into Magento Media Gallery and use it in the content. Before this feature only developers were able to use .svg

Card:

As a Content manager I want to upload SVG file into Magento Media Gallery so that I use it the webstore content

Background:

SVG is not supported in Magento since 2.2 release because of potential security violations (MAGETWO-61189) that assumes JS code can be inserted inside SVG file. Since that there was several issues reported on GitHub:

• https://github.com/magento/magento2/issues/12451
• https://github.com/magento/magento2/issues/10999
• https://github.com/magento/magento2/issues/2958

SVG format grows its popularity and this trend shows that enterprise level of websites use it more often that smaller ones. Key objectives of why .svg support is crucial for advanced content that Magento supports with 2.3 release:

• fully scalable and responsive images that are commonly used for titles and text with custom fonts.
• editable and scriptable. All kinds of animations and interactions can be added to a drawing via CSS and/or JavaScript
• low size of the used files on a web page. SVG graphics are routinely smaller file sizes compared to their raster graphics brethren

Preconditions:

User is on the following pages:

• Catalog >Category
• Catalog > Product
• Content >Pages
• Content >Blocks
• Content > Dynamic Blocks

Acceptance Criteria

• User opens Magento Media Gallery and sees message: "Allowed file types: JPG, PNG, GIF, SVG"
• User uploads .svg file to the Magento Media Gallery and sees file preview displayed first in the selected folder
• User selects .svg file from the Media gallery and inserts into web content, navigates to the storefront and sees its displayed

Additional information

[orlangur]

@tkacheva do you mean that SVG support can be just returned back or there needs to be a more sophisticated fix for a stored XSS vulnerability?

[luke-underwood]

+1. I use SVGs everywhere I can as modern web designs should. The initial security fix should not have been simply removing upload support for SVG altogether

[andy17612]

can you say how to use SVGs everywhere? thank you! @SnarkieDesign

[p24-max]

Magento admin media gallery is used by trusted users only. If they want to add malicious JavaScript, they can also do this in a CMS-page with pagebuilder "html" element... Please allow SVG or add an option to enable/disable it.