Make WordPress Core

Opened 4 years ago

Last modified 9 months ago

#53100 new defect (bug)

Unable to upload SVGs even if ALLOW_UNFILTERED_UPLOADS set

Reported by: desmith's profile desmith Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 5.7.1
Component: Upload Keywords:
Focuses: Cc:

Description

I have several sites where wp-config.php includes the line

define('ALLOW_UNFILTERED_UPLOADS', true);

I would expect that to permit all file types to be uploaded. However, SVG files are not allowed, displaying the message "Sorry, this file type is not permitted for security reasons."

I have tested this on a site using the default Twenty Twenty One theme, and no enabled plugins, and on that same site with Twenty Nineteen. I've tested it on several other sites, with a fairly broad collection of themes and plugins, as well. I am fairly confident the only code in common here is Core.

I know that there are several plugins that "enable" SVG upload support, but I would expect the ALLOW_UNFILTERED_UPLOADS define to take care of that for me. Unfiltered should mean unfiltered, including SVGs. Is this an oversight or bug in the upload handlers, or an intentional (and perhaps not-well-documented) choice?

Change History (2)

#1 @thesimarchitect
3 years ago

Same problem with other files like .jfif

This method used to work before and it seems that WordPress 5 broke it.

I wonder why nobody seems to be talking about it. We shouldn't need to use a plugin to fix that, the feature should not be removed from Wordpress.

#2 @rcreators
9 months ago

I tested this and seems to only work if you have added svg in the allowed mime type and ALLOW_UNFILTERED_UPLOADS added as well.

1) only mime-type in theme function: Not working

function cc_mime_types( $mimes ){
  $mimes['svg'] = 'image/svg+xml';
  return $mimes;
}
add_filter( 'upload_mimes', 'cc_mime_types' );

2) Only added code in wp-config.php file: Not Working

define('ALLOW_UNFILTERED_UPLOADS', true);

3) Add both into WordPress: Working

This was actually working before with only adding either option. Now we have to add both option. Can anyone check what's changed?

Note: See TracTickets for help on using tickets.