New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Tiny PR] Media Placeholder: Allow SVG as URI #18092
Conversation
0655024
to
4f05f24
Compare
|
||
if ( file.type === 'image/svg+xml' ) { | ||
file.text().then( ( source ) => { | ||
this.props.onSelectURL( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we check if onSelectURL is available?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, sure, I didn't know it's optional. :)
@@ -130,8 +131,23 @@ export class MediaPlaceholder extends Component { | |||
setMedia = onSelect; | |||
} | |||
} else { | |||
const [ file ] = files; | |||
|
|||
if ( file.type === 'image/svg+xml' ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we limit this logic to files smaller than a given amount of bytes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds like a good idea. Like me check some browser limitations for data URIs.
Interesting. This might work? I'm not sure how cautious we'll be on the security side of things. Note that this should only be set on the image tag. In other contexts |
I love this idea! Other than @jorgefilipecosta 's points above I think it would be a great addition to the image block 😄🎉 |
It looks like this PR has gone stale. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is one more check that I think we should do. Users without the ability to output unsafe HTML e.g: authors can not include code with an SVG so I guess in these cases our mechanism should do nothing.
@jorgefilipecosta Hey there, just circling back to see whether this is likely to be picked up and merged, or whether it should be closed out at this stage. Let me know, thanks! |
I think this PR is useful and could be merged. I guess we should just add a check for the capability to not have this functionality on users without permission to use unsafe HTML. |
@ellatrix, is this PR still relevant? If so, maybe @jorgefilipecosta can wrap it once he comes back from AFK. |
I'm not going to work on it, anyone should feel free to take it and start a new PR. |
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Unlinked AccountsThe following contributors have not linked their GitHub and WordPress.org accounts: @gwwar. Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases. If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Description
Ok, ok, SVGs in WordPress is a controversial topic. They cannot be uploaded. And the way towards that seems long as there are a bunch of security issues with SVGs. See https://core.trac.wordpress.org/ticket/24251.
But what if we don't upload them? What if we just encode them and use them in a data URI? This is safe as any scripts that could be embedded in an SVG will not be executed. The SVG is not embedded in the page.
Wait? Aren't data URIs too big to store in the post content? Yes, base64 encoded text would be long, but this isn't necessary. We can just encode the text.
So imagine I upload something like:
The result would be:
How has this been tested?
Add an image block and click "Upload", then select and SVG.
Screenshots
Types of changes
Checklist: