Compatibility Fix for Safe SVG
| 开发者 | jgorres |
|---|---|
| 更新时间 | 2026年5月25日 22:25 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPL v2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Problem:
With "Safe SVG" alone, uploading SVG files into the WordPress Media Library works fine. As soon as you try to replace an existing file with an SVG via the "Enable Media Replace" plugin, the operation aborts with the message "Sorry, this file type is not permitted for security reasons.".
Root cause: EMR calls
wp_check_filetype_and_ext() directly from its own submenu (upload.php?page=enable-media-replace/...) without going through the standard upload path (wp_handle_upload). Safe SVG, however, registers its MIME-type fix only on certain admin page hooks — and those do not reliably fire on the EMR replace page in practice.
Solution:
This plugin registers the two required filters (upload_mimes, wp_check_filetype_and_ext) globally so that SVG uploads work through EMR as well.
Safety guard:
So that this plugin does not open an unsanitized SVG upload path, the filters are active only when the "Safe SVG" plugin itself is active. Safe SVG then handles the SVG sanitization on wp_handle_upload_prefilter / wp_handle_sideload_prefilter. Without an active Safe SVG, SVG remains non-uploadable.
安装:
- In the WordPress admin go to Plugins → Add New → Upload Plugin and upload the ZIP file.
- Activate the plugin.
- Make sure that "Safe SVG" and "Enable Media Replace" are also active.
- Replace an existing media item with an SVG file via "Replace media" — it now works.
常见问题:
Do I really need Safe SVG?
Yes. Without Safe SVG the filters of this plugin stay inactive. This is intentional: SVG uploads without a sanitizer would be an XSS risk (embedded JavaScript / SVG smuggling).
Does the plugin also work with other replace plugins?
Yes. The two filters are generic and apply to any plugin that calls wp_check_filetype_and_ext() directly.
Does the plugin also work in WP-CLI / Cron / REST sideloads?
Yes. As of version 1.1.0 the filters no longer perform a capability check, so SVG uploads also work in contexts without a logged-in user (for example programmatic sideloads via REST or WP-CLI). Security is still enforced through the Safe-SVG-active guard and Safe SVG's sanitization on wp_handle_upload_prefilter.
Is the plugin still needed once EMR is updated and fixes the conflict itself?
No. The plugin can be deactivated and removed without leftovers (no postmeta, no options, no cron).
更新日志:
1.1.1
- Metadata:
Contributorsslug inreadme.txtchanged fromjoerngorrestojgorresto match the WordPress.org user name. No code changes.
- Plugin renamed from "Safe SVG Upload Fix" to "Compatibility Fix for Safe SVG" (slug:
compatibility-fix-for-safe-svg). Reason: the WP.org Plugin Directory does not accept plugin names that start with the name of another plugin; the "for Safe SVG" pattern is explicitly allowed. - Function prefix
ssuf_→compatibility_fix_for_safe_svg_. - Removed the capability check (
current_user_can( 'upload_files' )) from the filter callbacks. As a result SVG uploads now also work in non-user contexts (WP-CLI, Cron, REST sideloads). Security is still guaranteed by the Safe-SVG-active guard and Safe SVG's sanitizer hook. - Plugin header description translated to English.
- Added a
languages/index.phpstub against direct access. - Translated all
readme.txtsections (Installation, FAQ, Changelog, Upgrade Notice) to English.
- Plugin Check compliance, no functional changes: Short Description and
== Description ==translated to English.
- Initial release.
- Registers the
upload_mimesandwp_check_filetype_and_extfilters globally, gated by an active-Safe-SVG check.