Should You Use .svg Images in WordPress Posts?

By Bill Freedman

Graphics make blog posts and web pages better. A picture is worth a thousand words—but including pictures on the web is harder than it should be. There is a whole alphabet soup of formats, graphic features such as transparency, different resolutions and the dreaded browser compatibility, find out more at this Kinsta blog post. Wouldn’t it be nice if creating and publishing graphics was as straight-forward as publishing text?

New and Improved: .svg or Scalable Vector Graphics

.svg images WordPress

.svg images in WordPress are here! This is the official .svg logo (in .svg format) served up from this blog’s media library using the Safe SVG plugin.

I’ve been tracking .svg for some time. .svg format stands for “scalable vector graphic,” which is described in a W3C specification. The format provides a modularized language for describing two-dimensional vector and mixed vector/raster images.

As of February 2017, .svg delivers numerous advantages for designers and developers alike. .svg images are supported by most browsers. The files are tiny compared to it’s .png and .jpeg brethren. And there are multiple tools, including my favorite graphic design tool, Sketch 3, that save files to the .svg format.

The advantages of .svg come from an industry standard format that comprises (1) vector graphic shapes (e.g., paths consisting of straight lines and curves), (2) raster images and (3) text that display beautifully in all modern browsers. In other words, the .svg image file contains instructions for rendering images at any resolution rather than compressed rasters. And for the designer and webmaster, this means you have a single tiny file to manage rather than exporting 1x, 2x and 4x versions from a graphic tool which need to be managed in a CDN or media library and delivered to desktop, mobile and retina displays based on the viewport setting…very, very complex.

With the advantages of broad compatibility, tiny files and simplicity, it’s time to make a switch. Or is it?

.svg Images in WordPress…Not For the Masses…Not Yet

As of February 2017, WordPress doesn’t officially support .SVG images. Sure it’s easy to enable SVG in your WordPress instance through a function or a plugin. But if it’s easy to support the .svg image format, why isn’t support included in WordPress core?  The answer: security.

It turns out that the .svg format is more of a document format than an image format. That means you can embed all sorts of things in a .svg file. This includes JavaScript. So that seemingly benign graphic could easily contain a not-so-benign script that hijacks visitors, data and web experiences. Not so good. And with 25% of the web running on WordPress, the core development team prioritizes security and reliability over simplicity. The four years of engineering debate is visible to all in WordPress Trac ticket 24251.

.svg Images in Controlled WordPress Sites: Bring On .svg!

In sites where only skilled web designers and publishers with a strict file chain of custody procedure, the advantages of .svg can be realized today. For security, I strongly recommend that you think twice about deploying .svg support by hacking the functions.php file and or using the less secure plugins that you can easily find in the WordPress Plugin Directory.

Instead, focus first on training and procedures to mitigate potential risks from .svg. Just as you wouldn’t let anybody upload JavaScript to your site, you shouldn’t let just anyone upload .svg files to your site. The first and safest approach is to let savvy designers include .svg files in theme assets:

  1. Produce your own .svg files or review code in files provided by others
  2. Run the .svg file through a sanitizer, like DOMpurify
  3. Save the resulting code locally.
  4. Add the .svg file to your CDN or production file system
  5. Directly reference the sanitized file with CSS or HTML code <img src="/blah/file.svg" />

How About Media Libraries?

Enabling the media library opens more risk. If you are ready to limit access to the media libary using WordPress user roles, the risks should be manageable. There is one .svg plugin I can recommend today: Safe SVG by Daryll Doyle. It not only enables the .svg mime type for the media library, but it sanitizes .svg files on upload. The plugin is young but works. And developer Daryll Doyle is actively developing Safe SVG. He deserves our support!

.svg has a bright future for web publishers who value great user experiences with content and compatible graphics files that are simple to manage. Let’s embrace a secure future for SVG and WordPress.