Allow Safe SVG Uploads with WP SVG

Allow Safe SVG Uploads with WP SVG

I’m sure a lot of WordPress site owners and maintainers are unaware of the inherit security risks involved with the SVG file format. Daryll Doyle knows and he’s created a freemium plugin built on a custom library that sanitizes SVG files for WordPress. The pro version of his plugin, WP SVG, is on sale now.

WP SVG does more than just offer a security fix. The plugin creates actual, viewable thumbnails for SVGs inside of the WordPress media library (no more broken images or useless previews!) and allows you to restrict SVG upload permission to users based on their roles.

Daryll answered some of my questions about WP SVG, it’s free version and the sanitization library he wrote that powers the whole thing.

Questions for the Developer

Can you tell me how the idea for WP SVG came to you?

WP SVG is an offshoot of my free plugin Safe SVG to help try and pay for the development of the library. It originally started as a proof of concept for a WordPress core bug.

As it became more apparent that the closing of this bug would be a very slow process I started work on a PHP based SVG sanitisation library. After basic testing against well known exploits I decided to roll out a plugin to the WordPress directory to help get more eyes on the library.

Although I run WP SVG and people are using it I’d still ultimately love to see that bug fixed and a solution rolled out in core.

How long has it taken to develop WP SVG into its current state?

WP SVG has only been around for about 5 months. The free version (Safe SVG) and the SVG sanitisation library that powers it has been in development for just over 2 years now. The free version has 6,000+ active installs according to the WordPress plugin directory so I can’t complain too much there.

You do a nice job on your site explaining the security problems with the SVG file format and how WP SVG helps. Is educating the public about these issues a main focus for you or is it just another avenue to help promote the plugin?

To me, security is the biggest issue that we face on the web. SVGs are a great addition to websites but a lot of people still see them as image files, which they’re not! I hope that by trying to educate people on the security issues that come with allowing SVG uploads that they will stop using workarounds like this (https://css-tricks.com/snippets/wordpress/allow-svg-through-wordpress-media-uploader) and instead opt to use a proper sanitsation library. This not only helps them, but also helps me to get the library tested in real life scenarios.

I like to ask about marketing a lot because I personally find it so difficult. What has been the most successful way to get people to try WP SVG? And how about the least successful?

I’m terrible at marketing and if I’m honest I’ve done very little to promote the premium version of the plugin. It’s something I’d love to do more so I have to absorb less of the development costs myself but I really have no idea where to start. I suppose I’m more of a dev than a marketing guru.

What do you wish someone had told you before you started making WP SVG?

I wish someone had showed me how to market a plugin!

Other than that, I can’t complain too much. I’ve had a good amount of support from people that’d also like to see this issue fixed for good and the feedback around the free version has been very positive.

This plugin, for me, was never about getting rich or making loads of money, but rather trying to help cover the costs of building a working and sustainable SVG sanitisation library.

What’s coming in future releases of WP SVG?

There’s a small list of enhancements planned for WP SVG but a lot of my planned work is on the underlying library. I’d like to be able to clean it up a lot and allow through the element, which is currently stripped as a security measure.

I’m hoping to be able to ship version 2.0 of the library within the next few months so you should see updates to WP SVG and Safe SVG around then with the updated lib. I’m also hoping to work with some of the more popular page builders to get SVGs working with their systems.

Learn More

Thanks to Daryll for answering my questions about WP SVG. You can learn more at wpsvg.com or at the plugin’s Twitter account @wpsvg. The SVG sanitization library is available on Github.

 

Are You a WordPress Plugin Developer?

We would love to have a post on The Plugin Economy featuring your product.
Get started by submitting our interview request form.

Filed under: Interview, WordPress