🎉 Howdy

Author: retlehs

.editorconfig

@@ -0,0 +1,24 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[*.json]
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[composer.json]
+indent_size = 4
+
+[*.js]
+indent_size = 2

.gitattributes

@@ -0,0 +1,44 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Source code files
+*.php text eol=lf
+*.js text eol=lf
+*.json text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.xml text eol=lf
+*.md text eol=lf
+*.txt text eol=lf
+
+# Config files
+.gitignore text eol=lf
+.gitattributes text eol=lf
+composer.json text eol=lf
+composer.lock text eol=lf
+*.config.js text eol=lf
+
+# Test files
+tests/** text eol=lf
+
+# Exclude from archives
+/.github/ export-ignore
+/.wp-env.json export-ignore
+/tests/ export-ignore
+/phpunit.xml export-ignore
+/playwright.config.js export-ignore
+/pint.json export-ignore
+/scoper.inc.php export-ignore
+/DEVELOPMENT_PLAN.md export-ignore
+/coverage/ export-ignore
+/.phpunit.cache/ export-ignore
+/test-results/ export-ignore
+
+# Binary files
+*.svg binary
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.pdf binary

.github/workflows/tests.yml

@@ -0,0 +1,143 @@
+name: Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.2
+          coverage: none
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v3
+        with:
+          path: /tmp/composer-cache
+          key: ${{ runner.os }}-${{ hashFiles('**/composer.lock') }}
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-interaction --no-progress
+
+      - name: Run linting
+        run: composer lint-check
+
+  unit-tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        php-version: [8.2, 8.3]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-version }}
+          coverage: none
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v3
+        with:
+          path: /tmp/composer-cache
+          key: ${{ runner.os }}-${{ hashFiles('**/composer.lock') }}
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-interaction --no-progress
+
+      - name: Run PHPUnit tests
+        run: composer test
+
+  integration-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.2
+          coverage: none
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-interaction --no-progress
+
+      - name: Install wp-env
+        run: npm install -g @wordpress/env
+
+      - name: Start WordPress environment
+        run: npx wp-env start
+
+      - name: Wait for WordPress
+        run: |
+          timeout 60 bash -c 'until curl -f http://localhost:8889 > /dev/null 2>&1; do sleep 2; done'
+
+      - name: Run WP-CLI integration tests
+        run: composer test-wp-cli
+
+  e2e-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.2
+          coverage: none
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-interaction --no-progress
+
+      - name: Install wp-env and Playwright
+        run: |
+          npm install -g @wordpress/env
+          npm install @playwright/test
+
+      - name: Install Playwright browsers
+        run: npx playwright install chromium
+
+      - name: Start WordPress environment
+        run: npx wp-env start
+
+      - name: Wait for WordPress
+        run: |
+          timeout 60 bash -c 'until curl -f http://localhost:8889 > /dev/null 2>&1; do sleep 2; done'
+
+      - name: Run E2E tests
+        run: composer test-e2e
+
+      - name: Upload E2E test results
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: playwright-report
+          path: test-results/
+          retention-days: 7

.gitignore

@@ -0,0 +1,33 @@
+# Dependencies
+/vendor/
+/node_modules/
+
+# Build artifacts
+/build/
+
+# Testing
+/coverage/
+/.phpunit.cache/
+/test-results/
+/playwright-report/
+
+# IDE
+/.vscode/
+/.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# WordPress
+/.wp-env.override.json
+
+# Temporary files
+*.log
+*.tmp
+*.temp
+
+# Composer
+/composer.phar

.wp-env.json

@@ -0,0 +1,13 @@
+{
+  "core": "WordPress/WordPress",
+  "phpVersion": "8.2",
+  "plugins": [
+    "."
+  ],
+  "config": {
+    "SCRIPT_DEBUG": true,
+    "WP_DEBUG": true,
+    "WP_DEBUG_LOG": true,
+    "WP_DEBUG_DISPLAY": false
+  }
+}

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Roots Software LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,101 @@
+<p align="center">
+  <a href="https://packagist.org/packages/roots/allow-svg"><img alt="Packagist Downloads" src="https://img.shields.io/packagist/dt/roots/allow-svg?label=downloads&colorB=2b3072&colorA=525ddc&style=flat-square"></a>
+  <a href="https://github.com/roots/allow-svg/actions/workflows/tests.yml"><img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/roots/allow-svg/tests.yml?branch=main&logo=github&label=CI&style=flat-square"></a>
+  <a href="https://bsky.app/profile/roots.io"><img alt="Follow roots.io on Bluesky" src="https://img.shields.io/badge/[email protected]?logo=bluesky&style=flat-square"></a>
+</p>
+
+# Allow SVG
+
+A WordPress plugin that enables SVG uploads with validation to block malicious files.
+
+> WordPress still lacks native SVG support after [12+ years of discussion](https://core.trac.wordpress.org/ticket/24251)
+
+## Features
+
+- ✅ **SVG Upload Support** — Enables `.svg` uploads in the WordPress media library
+- 🔒 **Security-First Validation** — Detects and rejects SVG files containing potentially harmful content
+- 🖼️ **Media Library Integration** — SVGs display inline like standard images
+- 🧩 **Zero Dependencies** — No external libraries or frameworks
+- ⚙️ **Zero Configuration** — No settings or admin bloat
+
+## Requirements
+
+- PHP 8.2 or higher
+- WordPress 5.9 or higher
+
+## Installation
+
+### via Composer
+
+```bash
+composer require roots/allow-svg
+```
+
+<details>
+<summary>Install as a mu-plugin</summary>
+
+If you are using [Bedrock](https://roots.io/bedrock/), you can install this as a must-use plugin by modifying your `composer.json` to install the package to the `mu-plugins` directory.
+
+```json
+{
+    "extra": {
+        "installer-paths": {
+            "web/app/mu-plugins/{$name}/": [
+                "type:wordpress-muplugin",
+                "roots/allow-svg"
+            ]
+        }
+    }
+}
+```
+
+</details>
+
+### Manual
+
+1. Download `allow-svg.php`
+2. Place in `wp-content/plugins/allow-svg/`
+3. Activate via wp-admin or WP-CLI
+
+## Usage
+
+Once activated, the plugin automatically:
+
+1. Enables SVG uploads through the Media Library or block editor
+2. Performs strict validation on all SVG files
+3. Rejects malicious files with clear error messages
+4. Accepts clean, standards-compliant SVGs as-is
+
+No configuration required.
+
+## Security
+
+This plugin uses a **deny-first approach**: it doesn't attempt to sanitize SVGs, it rejects files that appear unsafe.
+
+### Accepts:
+
+- Basic SVG shapes, paths, text, and inline styles
+- ViewBox and standard attributes
+
+### Rejects:
+
+- `<script>` tags or inline JavaScript
+- Event handlers like `onclick`, `onload`, etc.
+- External references (`href`, `xlink:href`, `iframe`, `object`, `embed`)
+- CSS expressions and `@import` rules
+- Data URLs containing script or HTML content
+
+### XML Hardening:
+
+- **XXE Protection** — Blocks `<!DOCTYPE>` and external entity declarations
+- **Entity Expansion Limits** — Rejects suspicious `&entity;` usage
+- Uses `DOMDocument` with external entities disabled
+
+## Sponsors
+
+Allow SVG is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, [please consider sponsoring us](https://github.com/sponsors/roots).
+
+## Support
+
+- GitHub Issues: https://github.com/roots/allow-svg/issues
+- Roots Discourse: https://discourse.roots.io/