Safe SVG
Active Installs
1,000,000+
Last Updated
April 14, 2026
First Released
July 3, 2015
Download History (Last one month)
Safe SVG is the best way to Allow SVG Uploads in WordPress!
It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.
Current Features
- Sanitised SVGs – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.
- SVGO Optimisation – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code:
add_filter( 'safe_svg_optimizer_enabled', '__return_true' ); - View SVGs in the Media Library – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.
- Choose Who Can Upload – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.
Initially a proof of concept for #24251.
SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.
SVG Optimization is done through the following library: https://github.com/svg/svgo.
Install through the WordPress directory or download, unzip and upload the files to your /wp-content/plugins/ directory
Yes, this can be done using the svg_allowed_attributes and svg_allowed_tags filters.
They take one argument that must be returned. See below for examples:
add_filter( 'svg_allowed_attributes', function ( $attributes ) {
// Do what you want here...
// This should return an array so add your attributes to
// to the $attributes array before returning it. E.G.
$attributes[] = 'target'; // This would allow the target="" attribute.
return $attributes;
} );
add_filter( 'svg_allowed_tags', function ( $tags ) {
// Do what you want here...
// This should return an array so add your tags to
// to the $tags array before returning it. E.G.
$tags[] = 'use'; // This would allow the <use> element.
return $tags;
} );
Changelog
2.4.0 – 2025-09-22
- Added: Ability to upload SVGs from more admin locations (props @stormrockwell, @darylldoyle, @wpexplorer, @smerriman, @jeffpaul, @dkotter via #279).
- Changed: Added
$attachment_idargument to filterssafe_svg_use_width_height_attributesandsafe_svg_dimensions(props @roborourke, @dkotter via #278). - Fixed: Inconsistent or incorrect data type for
$svgargument in the filterssafe_svg_use_width_height_attributesandsafe_svg_dimensions(props @roborourke, @dkotter via #278).
2.3.3 – 2025-08-13
- Security: Update the
enshrined/svg-sanitizepackage from0.19.0to0.22.0to fix an issue with case-insensitive attributes slipping through the sanitiser and address PHP 8.4 deprecation warnings (props @darylldoyle, @sudar, @georgestephanis, @dkotter, @realazizk via #268, #272). - Security: Bump
form-datafrom 4.0.0 to 4.0.4 (props @dependabot, @faisal-alvi via #270). - Security: Bump
tmpfrom 0.2.3 to 0.2.5 and@inquirer/editorfrom 4.2.9 to 4.2.16 (props @dependabot, @dkotter via #271).
2.3.2 – 2025-07-21
- Fixed: Visual parity between the front end and the block editor (props @s3rgiosan, @dkotter via #261, #266).
- Changed: Bump WordPress “tested up to” version 6.8 (props @godleman, @jeffpaul, @dkotter via #251, #254).
- Changed: Bump WordPress minimum supported version to 6.6 (props @godleman, @jeffpaul, @dkotter via #254).
- Security: Bump
wsfrom 7.5.10 to 8.18.0,@wordpress/scriptsfrom 27.9.0 to 30.6.0,nanoidfrom 3.3.7 to 3.3.8 andmochafrom 10.2.0 to 11.0.1 (props @dependabot, @peterwilsoncc via #245). - Security: Bump
@babel/runtimefrom 7.23.9 to 7.27.0,axiosfrom 1.7.4 to 1.8.4,cookiefrom 0.4.2 to 0.7.1,expressfrom 4.21.0 to 4.21.2 and@wordpress/e2e-test-utils-playwrightfrom 0.26.0 to 1.20.0 (props @dependabot, @dkotter via #250). - Security: Bump
http-proxy-middlewarefrom 2.0.6 to 2.0.9 (props @dependabot, @iamdharmesh via #253). - Security: Bump
tar-fsfrom 3.0.8 to 3.0.9 (props @dependabot, @dkotter via #258). - Security: Bump
bytesfrom 3.0.0 to 3.1.2 andcompressionfrom 1.7.4 to 1.8.1 (props @dependabot, @dkotter via #265).
2.3.1 – 2024-12-05
- Fixed: Revert changes made to how we determine custom dimensions for SVGs (props @dkotter, @martinpl, @subfighter3, @smerriman, @gigatyrant, @jeffpaul, @iamdharmesh via #238).
2.3.0 – 2024-11-25
- Added: New setting that allows large SVG files (roughly 10MB or greater) to be uploaded and sanitized properly (props @kirtangajjar, @faisal-alvi, @darylldoyle, @manojsiddoji, @dkotter via #201).
- Added: New
get_svg_dimensionsfunction in order to reduce code duplication (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216). - Changed: Updated the
enshrined/svg-sanitizepackage from 0.16.0 to 0.19.0 to fix a PHP 8.3 compatibility issue (props @sksaju, @TylerB24890, @darylldoyle, @rolf-yoast, @faisal-alvi via #214). - Changed: Update how image dimensions are passed in
get_image_tag_overrideandone_pixel_fixmethods (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216). - Changed: Bump WordPress “tested up to” version to 6.7 (props @colinswinney, @jeffpaul via #232, #233).
- Changed: Bump WordPress minimum from 6.4 to 6.5 (props @colinswinney, @jeffpaul via #232, #233).
- Changed: Remove composer dev dependencies from archived project (props @TylerB24890, @szepeviktor, @peterwilsoncc via #220).
- Fixed: Use proper block category for the Safe SVG Icon block (props @kirtangajjar, @fabiankaegy via #226).
- Security: Only allow SVG file types to be uploaded if our sanitizer is able to run on those files (props @darylldoyle, @xknown, @dkotter via #228).
- Security: Bump
webpackfrom 5.90.1 to 5.94.0 (props @dependabot, @peterwilsoncc via #222). - Security: Bump
wsfrom 7.5.10 to 8.18.0,serve-staticfrom 1.15.0 to 1.16.2 andexpressfrom 4.19.2 to 4.21.0 (props @dependabot, @Sidsector9, @faisal-alvi via #227, #230, #234).
2.2.6 – 2024-08-28
- Changed: Bump WordPress “tested up to” version to 6.6 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
- Changed: Bump WordPress minimum from 5.7 to 6.4 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
- Security: Add svg sanitization on the
wp_handle_sideload_prefilterfilter (props @dkotter, @xknown, @iamdharmesh via GHSA-3vr7-86pg-hf4g). - Security: Bump
bracesfrom 3.0.2 to 3.0.3,pac-resolverfrom 7.0.0 to 7.0.1,socksfrom 2.7.1 to 2.8.3,wsfrom 7.5.9 to 7.5.10 and removeip(props @dependabot, @Sidsector9 via #206). - Security: Bump
axiosfrom 1.6.7 to 1.7.4 (props @dependabot, @faisal-alvi via #218).
" width="120" height="120">
Available Versions
| Version | Download | Type |
|---|---|---|
| 2.4.0 | Download | Stable |
| 2.3.3 | Download | Stable |
| 2.3.2 | Download | Stable |
| 2.3.1 | Download | Stable |
| 2.3.0 | Download | Stable |
| 2.2.6 | Download | Stable |
| 2.2.5 | Download | Stable |
| 2.2.4 | Download | Stable |
| 2.2.3 | Download | Stable |
| 2.2.2 | Download | Stable |
| 2.2.1 | Download | Stable |
| 2.2.0 | Download | Stable |
| 2.1.1 | Download | Stable |
| 2.1.0 | Download | Stable |
| 2.0.3 | Download | Stable |
| 2.0.2 | Download | Stable |
| 2.0.1 | Download | Stable |
| 2.0.0 | Download | Stable |
| 1.9.10 | Download | Stable |
| 1.9.9 | Download | Stable |
| 1.9.8 | Download | Stable |
| 1.9.7 | Download | Stable |
| 1.9.6 | Download | Stable |
| 1.9.5 | Download | Stable |
| 1.9.4 | Download | Stable |
| 1.9.3 | Download | Stable |
| 1.9.2 | Download | Stable |
| 1.9.1 | Download | Stable |
| 1.9.0 | Download | Stable |
| 1.8.1 | Download | Stable |
| 1.8.0 | Download | Stable |
| 1.7.1 | Download | Stable |
| 1.6.1 | Download | Stable |
| 1.6.0 | Download | Stable |
| 1.5.3 | Download | Stable |
| 1.5.2 | Download | Stable |
| 1.5.1 | Download | Stable |
| 1.5.0 | Download | Stable |
| 1.4.5 | Download | Stable |
| 1.4.4 | Download | Stable |
| 1.4.3 | Download | Stable |
| 1.4.2 | Download | Stable |
| 1.4.1 | Download | Stable |
| 1.4.0 | Download | Stable |
| 1.3.4 | Download | Stable |
| 1.3.3 | Download | Stable |
| 1.3.2 | Download | Stable |
| 1.3.1 | Download | Stable |
| 1.3.0 | Download | Stable |
| 1.2.0 | Download | Stable |
| 1.1.1 | Download | Stable |
| 1.1.0 | Download | Stable |
| 1.0.0 | Download | Stable |
| Development | Download | Trunk |
