CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file, per the Keep a Changelog standard, and will adhere to Semantic Versioning.

Unreleased - TBD

2.4.0 - 2025-09-22

Added

• Ability to upload SVGs from more admin locations (props @stormrockwell, @darylldoyle, @wpexplorer, @smerriman, @jeffpaul, @dkotter via #279).

Changed

• Added $attachment_id argument to filters safe_svg_use_width_height_attributes and safe_svg_dimensions (props @roborourke, @dkotter via #278).

Fixed

• Inconsistent or incorrect data type for $svg argument in the filters safe_svg_use_width_height_attributes and safe_svg_dimensions (props @roborourke, @dkotter via #278).

2.3.3 - 2025-08-13

Security

• Update the enshrined/svg-sanitize package from 0.19.0 to 0.22.0 to fix an issue with case-insensitive attributes slipping through the sanitiser and address PHP 8.4 deprecation warnings (props @darylldoyle, @sudar, @georgestephanis, @dkotter, @realazizk via #268, #272).
• Bump form-data from 4.0.0 to 4.0.4 (props @dependabot, @faisal-alvi via #270).
• Bump tmp from 0.2.3 to 0.2.5 and @inquirer/editor from 4.2.9 to 4.2.16 (props @dependabot, @dkotter via #271).

Developer

• Configure dependabot to automatically create PR for enshrined/svg-sanitize (props @sudar, @georgestephanis, @dkotter, @jeffpaul via #269).
• Fix typo in dependency-review.yml (props @szepeviktor, @jeffpaul via #276).

2.3.2 - 2025-07-21

Note that this release bumps the WordPress minimum version from 6.5 to 6.6.

Fixed

• Visual parity between the front end and the block editor (props @s3rgiosan, @dkotter via #261, #266).

Changed

• Bump WordPress "tested up to" version 6.8 (props @godleman, @jeffpaul, @dkotter via #251, #254).
• Bump WordPress minimum supported version to 6.6 (props @godleman, @jeffpaul, @dkotter via #254).

Security

• Bump ws from 7.5.10 to 8.18.0, @wordpress/scripts from 27.9.0 to 30.6.0, nanoid from 3.3.7 to 3.3.8 and mocha from 10.2.0 to 11.0.1 (props @dependabot, @peterwilsoncc via #245).
• Bump @babel/runtime from 7.23.9 to 7.27.0, axios from 1.7.4 to 1.8.4, cookie from 0.4.2 to 0.7.1, express from 4.21.0 to 4.21.2 and @wordpress/e2e-test-utils-playwright from 0.26.0 to 1.20.0 (props @dependabot, @dkotter via #250).
• Bump http-proxy-middleware from 2.0.6 to 2.0.9 (props @dependabot, @iamdharmesh via #253).
• Bump tar-fs from 3.0.8 to 3.0.9 (props @dependabot, @dkotter via #258).
• Bump bytes from 3.0.0 to 3.1.2 and compression from 1.7.4 to 1.8.1 (props @dependabot, @dkotter via #265).

Developer

• Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props @dkotter, @jeffpaul via #248).
• Updated GitHub Action workflow permissions (props @dkotter, @jeffpaul via #262).

2.3.1 - 2024-12-05

Fixed

• Revert changes made to how we determine custom dimensions for SVGs (props @dkotter, @martinpl, @subfighter3, @smerriman, @gigatyrant, @jeffpaul, @iamdharmesh via #238).

2.3.0 - 2024-11-25

Note that this release bumps the WordPress minimum version from 6.4 to 6.5.

Added

• New setting that allows large SVG files (roughly 10MB or greater) to be uploaded and sanitized properly (props @kirtangajjar, @faisal-alvi, @darylldoyle, @manojsiddoji, @dkotter via #201).
• New get_svg_dimensions function in order to reduce code duplication (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216).

Changed

• Updated the enshrined/svg-sanitize package from 0.16.0 to 0.19.0 to fix a PHP 8.3 compatibility issue (props @sksaju, @TylerB24890, @darylldoyle, @rolf-yoast, @faisal-alvi via #214).
• Update how image dimensions are passed in get_image_tag_override and one_pixel_fix methods (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216).
• Bump WordPress "tested up to" version to 6.7 (props @colinswinney, @jeffpaul via #232, #233).
• Bump WordPress minimum from 6.4 to 6.5 (props @colinswinney, @jeffpaul via #232, #233).
• Remove composer dev dependencies from archived project (props @TylerB24890, @szepeviktor, @peterwilsoncc via #220).

Fixed

• Use proper block category for the Safe SVG Icon block (props @kirtangajjar, @fabiankaegy via #226).

Security

• Only allow SVG file types to be uploaded if our sanitizer is able to run on those files (props @darylldoyle, @xknown, @dkotter via #228).
• Bump webpack from 5.90.1 to 5.94.0 (props @dependabot, @peterwilsoncc via #222).
• Bump ws from 7.5.10 to 8.18.0, serve-static from 1.15.0 to 1.16.2 and express from 4.19.2 to 4.21.0 (props @dependabot, @Sidsector9, @faisal-alvi via #227, #230, #234).

Developer

• Bump @10up/cypress-wp-utils from 0.2.0 to 0.4.0, @wordpress/env from 9.2.0 to 10.12.0, cypress from 13.3.0 to 13.16.0 and cypress-mochawesome-reporter from 3.4.0 to 3.8.2. Downgrades @wordpress/scripts to 27.9.0. Add additional E2E tests (props @dkotter, @Lewiscowles1986 via #234).
• Update repo badges, add banner image (props @jeffpaul, @dkotter via #224, #229).

2.2.6 - 2024-08-28

Note that this release bumps the WordPress minimum version from 5.7 to 6.4.

Changed

• Bump WordPress "tested up to" version to 6.6 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
• Bump WordPress minimum from 5.7 to 6.4 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).

Security

• Add svg sanitization on the wp_handle_sideload_prefilter filter (props @dkotter, @xknown, @iamdharmesh via GHSA-3vr7-86pg-hf4g).
• Bump braces from 3.0.2 to 3.0.3, pac-resolver from 7.0.0 to 7.0.1, socks from 2.7.1 to 2.8.3, ws from 7.5.9 to 7.5.10 and remove ip (props @dependabot, @Sidsector9 via #206).
• Bump axios from 1.6.7 to 1.7.4 (props @dependabot, @faisal-alvi via #218).

Developer

• Update repo badges, add WordPress Playground badge (props @jeffpaul, @dkotter via #217).

2.2.5 - 2024-06-27

Added

• New filter, safe_svg_current_user_can_upload, allowing more control over who can upload SVG files (props @dkotter, @iamdharmesh via #193).

Fixed

• Fatal error when applying the admin_post_thumbnail_html filter with just two arguments (props @kmgalanakis, @dkotter, @liz1kiweno via #196).
• Prevent PHP fatal error when the value of the filtered block categories is not an array (props @kmgalanakis, @dkotter, @cguidog via #200).
• Handled PHP warning when the $image_meta is not an array (props @faisal-alvi, @dkotter, @drazenbebic, @kirtangajjar via #203).

Developer

• Added a "Testing" section in the CONTRIBUTING.md file (props @kmgalanakis, @jeffpaul via #197).
• Added the Repo Automator GitHub Action (props @iamdharmesh, @jeffpaul via #198).

2.2.4 - 2024-03-28

Changed

• Upgrade the download-artifact from v3 to v4 (props @iamdharmesh, @jeffpaul via #181).
• Replaced lee-dohm/no-response with actions/stale to help with closing no-response/stale issues (props @jeffpaul, @dkotter via #183).

Fixed

• Ensure the svg file can be loaded before we try accessing it's attributes (props @dkotter, @metashield-ie, @ocean90, @darylldoyle, @faisal-alvi via #186).
• Ensure we don't throw JS errors in the Classic Editor when the optimizer feature is turned on (props @dkotter, @turtlepod, @faisal-alvi via #187).

Security

• Bump webpack-dev-middleware from 5.3.3 to 5.3.4 (props @dependabot, @dkotter via #185).
• Bump express from 4.18.2 to 4.19.2 (props @dependabot, @dkotter via #188).

2.2.3 - 2024-03-20

Added

• Support for the WordPress.org plugin preview (props @dkotter, @jeffpaul via #167).

Changed

• Bump WordPress "tested up to" version 6.5 (props @dkotter, @jeffpaul via #180).
• Clean up NPM dependencies and update node to v20 (props @Sidsector9, @dkotter via #172).

Fixed

• Refactor the svg_dimensions function to be more performant (props @sksaju, @cjyabraham, @bmarshall511, @Hercilio1, @darylldoyle via #154, #174).
• Address fatal JS error when optimization is enabled and an item is published without blocks (props @psorensen, @tictag, @dkotter via #173).

Security

• Bump axios from 0.25.0 to 1.6.2 and @wordpress/scripts from 26.0.0 to 26.18.0 (props @dependabot, @ravinderk via #166).
• Bump follow-redirects from 1.15.3 to 1.15.6 and ip from 1.1.8 to 1.1.9 (props @dependabot, @dkotter via #169, #177).

2.2.2 - 2023-11-21

Changed

• Bump WordPress "tested up to" version 6.4 (props @qasumitbagthariya, @jeffpaul via #162, #163).

Fixed

• Ensure CSS applies properly to the SVG Icon block when added via theme.json (props @tobeycodes, @dkotter via #161).

2.2.1 - 2023-10-23

Changed

• Update to apiVersion 3 for our SVG Icon block (props @fabiankaegy, @ravinderk, @jeffpaul, @dkotter via #133).

Fixed

• Address an error due to the SVG Icon block using the fill-rule attribute (props @zamanq, @jeffpaul, @iamdharmesh via #152).

Security

• Bump postcss from 8.4.20 to 8.4.31 (props @dependabot, @faisal-alvi via #155).
• Bump @cypress/request from 2.88.12 to 3.0.1 and cypress from 10.11.0 to 13.3.0 (props @dependabot, @ravinderk via #156).
• Bump @babel/traverse from 7.20.12 to 7.23.2 (props @dependabot, @iamdharmesh via #158).

2.2.0 - 2023-08-21

Added

• New settings that give the ability to select which user roles can upload SVG files (props @dhanendran, @csloisel, @faisal-alvi, @dkotter via #76).
• SVG optimization during upload via SVGO. Feature is disabled by default but can be enabled using the safe_svg_optimizer_enabled filter (props @gsarig, @peterwilsoncc, @Sidsector9, @darylldoyle, @faisal-alvi, @dkotter, @ravinderk via #79, #145).
• Spacing and color controls added to SVG block (props @bmarshall511, @iamdharmesh via #135).
• Mochawesome reporter added for Cypress test report (props @jayedul, @peterwilsoncc via #124).

Changed

• Update Support Level from Active to Stable (props @Sidsector9, @iamdharmesh via #100).
• Update name of SVG block from Safe SVG Icon to Inline SVG (props @bmarshall511, @iamdharmesh via #135).
• Bump WordPress "tested up to" version 6.3 (props @dkotter, @jeffpaul via #144).
• Update the Dependency Review GitHub Action (props @jeffpaul, @Sidsector9 via #128).

Fixed

• Add namespace to the class_exists check (props @szepeviktor, @iamdharmesh via #120).
• Ensure Sanitizer class is properly imported (props @szepeviktor, @iamdharmesh via #121).
• Remove an unneeded global (props @szepeviktor, @iamdharmesh via #122).
• Use absolute path in require (props @szepeviktor, @iamdharmesh via #123).
• Ensure custom classname added to SVG block is output on the front-end (props @bmarshall511, @Sidsector9, @dkotter via #130).
• Ensure SimpleXML exists before using it (props @sdmtt, @faisal-alvi via #140).
• Fix markdown issues in the readme (props @szepeviktor, @iamdharmesh via #119).

Security

• Bump semver from 5.7.1 to 5.7.2 (props @dependabot via #134).
• Bump word-wrap from 1.2.3 to 1.2.5 (props @dependabot via #141).
• Bump tough-cookie from 4.1.2 to 4.1.3 and @cypress/request from 2.88.10 to 2.88.12 (props @dependabot via #146).

2.1.1 - 2023-04-05

Changed

• Upgrade @wordpress npm package dependencies (props @ggutenberg, @Sidsector9 via #108).
• Bump WordPress "tested up to" version 6.2 (props @ggutenberg, @Sidsector9 via #108).
• Run our E2E tests on the zip generated by "Build release zip" action (props @jayedul, @dkotter via #106).

Fixed

• Only load our block CSS if a page has the SVG block in it and remove an extra slash in the CSS file path. Remove an unneeded JS block file (props @dkotter, @freinbichler, @IanDelMar, @ocean90, @Sidsector9 via #112).
• Better error handling for environments that don't match our minimum PHP version (props @dkotter, @ravinderk via #111).

2.1.0 - 2023-03-22

Added

• An SVG Gutenberg Block (props @faisal-alvi, @Sidsector9, @cr0ybot, @darylldoyle, @cbirdsong, @jeffpaul via #80).
• "Build release zip" GitHub Action (props @iamdharmesh, @dkotter, @faisal-alvi via #87).

Changed

• Bump minimum PHP version from 7.0 to 7.4 (props @iamdharmesh, @peterwilsoncc, @vikrampm1 via #82).
• Bump minimum WordPress version from 4.7 to 5.7 (props @iamdharmesh, @peterwilsoncc, @vikrampm1 via #82).
• Bump WordPress "tested up to" version 6.1 (props @iamdharmesh, @peterwilsoncc via #85).

Security

• Updates the underlying sanitisation library to pull in a security fix (props @darylldoyle, @faisal-alvi, @Cyxow via #105).
• Bump got from 10.7.0 to 11.8.5 (props @dependabot via #83).
• Bump @wordpress/env from 4.9.0 to 5.6.0 (props @dependabot via #83).
• Bump simple-git from 3.9.0 to 3.16.0 (props @dependabot via #88, #99).
• Bump loader-utils from 2.0.2 to 2.0.4 (props @dependabot via #92).
• Bump json5 from 1.0.1 to 1.0.2 (props @dependabot via #91).
• Bump decode-uri-component from 0.2.0 to 0.2.2 (props @dependabot via #93).
• Bump markdown-it from 12.0.4 to 12.3.2 (props @dependabot, @peterwilsoncc via #94).
• Bump @wordpress/scripts from 19.2.4 to 25.1.0 (props @dependabot, @peterwilsoncc via #94).
• Bump http-cache-semantics from 4.1.0 to 4.1.1 (props @dependabot, @peterwilsoncc via #101).
• Bump webpack from 5.75.0 to 5.76.1 (props @dependabot, @faisal-alvi via #103).
• Bump svg-sanitizer from 0.15.2 to 0.16.0 (props @darylldoyle, @faisal-alvi, @Cyxow via #105).

2.0.3 - 2022-09-01

Added

• More robust PHP testing (props @iamdharmesh, @faisal-alvi via #71, #73).

Fixed

• Addressed PHPCS errors (props @iamdharmesh, @faisal-alvi via #73).

2.0.2 - 2022-06-27

Added

• Dependency security scanning (props @jeffpaul via #60).
• End-to-end testing with Cypress (props @iamdharmesh via #64).

Changed

• Bump WordPress version "tested up to" 6.0 (props @dkotter via #65).

Removed

• Redundant premium version upgrade link (props @ocean90, @peterwilsoncc via #61).
• Unneeded admin CSS fix for featured images (props @AdamWills, @dkotter, @peterwilsoncc via #63).

2.0.1 - 2022-04-19

Changed

• Documentation updates (props @jeffpaul, @peterwilsoncc via #50).

Fixed

• Ensure our height and width attributes are set before using them (props @dkotter, @r8r, @jerturowetz, @cadic via #51)
• Support for installing via packagist.org (props @roborourke, @peterwilsoncc via #52).

2.0.0 - 2022-04-06

Added

• New filter, safe_svg_use_width_height_attributes, that can be used to change the order of attributes we use to determine the SVG dimensions (props @dkotter, @peterwilsoncc via #43).

Changed

• Documentation updates (props @j-hoffmann, @jeffpaul, @Zodiac1978 via #39, #42).

Fixed

• Use the viewBox attributes first for image dimensions. Ensure we don't use image dimensions that end with percent signs (props @dkotter, @peterwilsoncc via #43).
• Make sure we use the full size SVG dimensions rather than the requested size, to avoid wrong sizes being used and duplicate height and width attributes (props @dkotter, @cadic via #44).
• Ensure the tmp_name and name properties exist before we use them (props @dkotter, @aksld via #46).

1.9.10 - 2022-02-23

Note that this release bumps the WordPress minimum version from 4.0 to 4.7 and the PHP minimum version from 5.6 to 7.0.

Changed

• Bump WordPress minimum version from 4.0 to 4.7 (props @cadic via #32).
• Bump PHP minimum version from 5.6 to 7.0 (props @mehidi258, @iamdharmesh, @amdd-tim, @darylldoyle, @jeffpaul via #20).
• Update enshrined/svg-sanitize from 0.13.3 to 0.15.2 (props @mehidi258, @iamdharmesh, @amdd-tim, @darylldoyle, @jeffpaul, @cadic via #20, #29).
• Bump WordPress version "tested up to" 5.9 (props @BBerg10up, @jeffpaul, @cadic via #14, #27).
• Updated library location and added a new build step (props @darylldoyle, @dkotter via #35, #36).
• Updated plugin assets and added docs and repo management workflows via GitHub Actions (props Brooke Campbell, @jeffpaul via #16, #26).

Fixed

• Double slash being added in SVG file URL for newer uploads (props @mehulkaklotar, @smerriman via #19).
• Float value casting for SVGs when fetching width and height (props @mehulkaklotar, @smerriman via #19).
• Use calculated size for SVGs instead of using false (props @dkotter, @darylldoyle, @fritteli via #23).
• Add better file type checking when looking for SVG files (props @davidhamann, @dkotter, @darylldoyle via #28).

1.9.9 - 2020-05-07

Fixed

• Issue where 100% width is accidentally converted to 100px width (props @joehoyle).

1.9.8 - 2020-05-07

Changed

• Underlying library update.

1.9.7 - 2019-12-10

Changed

• Underlying library update.

1.9.6 - 2019-11-07

Security

• Underlying library update that fixes a security issue.

1.9.5 - 2019-11-04

Security

• Underlying library update that fixes some security issues.

1.9.4 - 2019-08-21

Fixed

• Bug causing lots of error log output to do with safe_svg::fix_direct_image_output().

1.9.3 - 2019-02-19

Fixed

• Bug causing 0 height and width SVGs.

1.9.2 - 2019-02-14

Fixed

• Warning about an Illegal string offset.
• Issue if something other than a WP_Post object is passed in via the wp_get_attachment_image_attributes filter.

1.9.1 - 2019-01-29

Fixed

• Warning that was being generated by a change made in 1.9.0.

1.9.0 - 2019-01-03

Changed

• If an image is the correct ratio, allow skipping of the crop popup when setting header/logo images with SVGs.

1.8.1 - 2018-11-22

Changed

• Don't let errors break upload if uploading an empty file.

Fixed

• Featured image display in Gutenberg. Props @dmhendricks :)

1.8.0 - 2018-11-04

Added

• Pull SVG dimensions from the width/height or viewbox attributes of the SVG.
• role="img" attribute to SVGs.

1.7.1 - 2018-10-01

Changed

• Underlying lib and added new filters for filtering allowed tags and attributes.

1.7.0 - 2018-10-01

Added

• Allow devs to filter tags and attrs within WordPress.

1.6.1 - 2018-03-17

Changed

• Images will now use the size chosen when inserted into the page rather than default to 2000px everytime.

1.6.0 - 2017-12-20

Added

• Fairly big new feature - The library now allows <use> elements as long as they don't reference external files!

Fixed

• You can now also embed safe image types within the SVG and not have them stripped (PNG, GIF, JPG).

1.5.3 - 2017-11-16

Fixed

• 1.5.2 introduced an issue that can freeze the media library. This fixes that issue. Sorry!

1.5.2 - 2017-11-15

Changed

• Tested with 4.9.0.

Fixed

• Issue with SVGs when regenerating media.

1.5.1 - 2017-08-21

Fixed

• PHP strict standards warning.

1.5.0 - 2017-06-20

Changed

• Library update.
• role, aria- and data- attributes are now whitelisted to improve accessibility.

1.4.5 - 2017-06-18

Changed

• Library update.

Fixed

• Issues with defining the size of an SVG.

1.4.4 - 2017-06-07

Fixed

• SVGs now display as featured images in the admin area.

1.4.3 - 2017-03-06

Added

• WordPress 4.7.3 Compatibility.

Changed

• Expanded SVG previews in media library.

1.4.2 - 2017-02-26

Added

• Check / fix for when mb_* functions are not available.

1.4.1 - 2017-02-23

Changed

• Underlying library to allow attributes/tags in all case variations.

1.4.0 - 2017-02-21

Added

• Ability to preview SVG on both grid and list view in the wp-admin media area.

Changed

• Underlying library version.

1.3.4 - 2017-02-20

Fixed

• SVGZ uploads failing and not sanitising correctly.

1.3.3 - 2017-02-15

Changed

• Allow SVGZ uploads.

1.3.2 - 2017-01-27

Fixed

• Mime type issue in 4.7.1. Mad props to @LewisCowles1986.

1.3.1 - 2016-12-01

Changed

• Underlying library version.

1.3.0 - 2016-10-10

Changed

• Minify SVGs after cleaning so they can be loaded correctly through file_get_contents.

1.2.0 - 2016-02-27

Added

• Support for camel case attributes such as viewBox.

1.1.1 - 2016-07-06

Fixed

• Issue with empty svg elements self-closing.

1.1.0 - 2015-07-04

Added

• I18n.
• da, de, en, es, fr, nl, and ru translations.

Fixed

• Issue with filename not being pulled over on failed uploads.

1.0.0 - 2015-07-03

• Initial Release.