Skip to content

Commit

Permalink
Merge branch 'develop' into trunk
Browse files Browse the repository at this point in the history
  • Loading branch information
dkotter committed Aug 21, 2023
2 parents bda2ac2 + 0e895da commit 413ca06
Show file tree
Hide file tree
Showing 25 changed files with 18,730 additions and 3,469 deletions.
7 changes: 3 additions & 4 deletions .distignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,7 @@
/tests

# Files
.distignore
.gitignore
.wp-env.json
.*
CHANGELOG.md
CODE_OF_CONDUCT.md
composer.json
Expand All @@ -21,4 +19,5 @@ package.json
phpcs.xml
phpunit.xml.dist
README.md
webpack.config.js
webpack.config.js
/assets/js/admin/admin.js
23 changes: 16 additions & 7 deletions .github/workflows/cypress.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,13 +57,22 @@ jobs:
- name: Test
run: npm run cypress:run

- name: Upload artifacts
uses: actions/upload-artifact@v2
- name: Update summary
if: always()
run: |
npx mochawesome-merge ./tests/cypress/reports/*.json -o tests/cypress/reports/mochawesome.json
rm -rf ./tests/cypress/reports/mochawesome-*.json
npx mochawesome-json-to-md -p ./tests/cypress/reports/mochawesome.json -o ./tests/cypress/reports/mochawesome.md
npx mochawesome-report-generator tests/cypress/reports/mochawesome.json -o tests/cypress/reports/
cat ./tests/cypress/reports/mochawesome.md >> $GITHUB_STEP_SUMMARY
- name: Make artifacts available
uses: actions/upload-artifact@v3
if: failure()
with:
name: cypress-artifact-safe-svg
retention-days: 7
name: cypress-artifact
retention-days: 2
path: |
${{ github.workspace }}/tests/cypress/screenshots/
${{ github.workspace }}/tests/cypress/videos/
${{ github.workspace }}/tests/cypress/logs/
${{ github.workspace }}/tests/cypress/screenshots/
${{ github.workspace }}/tests/cypress/videos/
${{ github.workspace }}/tests/cypress/logs/
${{ github.workspace }}/tests/cypress/reports/
8 changes: 6 additions & 2 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,9 @@ jobs:
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
license-check: true
vulnerability-check: false
config-file: 10up/.github/.github/dependency-review-config.yml@trunk
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,14 @@ on:
schedule:
- cron: '0 0 * * 1'

permissions:
issues: write

jobs:
wordpress-version-checker:
runs-on: ubuntu-latest
steps:
- name: WordPress version checker
uses: skaut/wordpress-version-checker@v1.2.0
uses: skaut/wordpress-version-checker@master
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ node_modules
tests/cypress/downloads
tests/cypress/screenshots
tests/cypress/videos
tests/cypress/reports
dist

# Files
Expand Down
4 changes: 4 additions & 0 deletions .wordpress-version-checker.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"readme": "readme.txt",
"channel": "rc"
}
28 changes: 28 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,33 @@ All notable changes to this project will be documented in this file, per [the Ke

## [Unreleased] - TBD

## [2.2.0] - 2023-08-21
### Added
- New settings that give the ability to select which user roles can upload SVG files (props [@dhanendran](https://github.com/dhanendran), [@csloisel](https://github.com/csloisel), [@faisal-alvi](https://github.com/faisal-alvi), [@dkotter](https://github.com/dkotter) via [#76](https://github.com/10up/safe-svg/pull/76)).
- SVG optimization during upload via SVGO. Feature is disabled by default but can be enabled using the `safe_svg_optimizer_enabled` filter (props [@gsarig](https://github.com/gsarig), [@peterwilsoncc](https://github.com/peterwilsoncc), [@Sidsector9](https://github.com/Sidsector9), [@darylldoyle](https://github.com/darylldoyle), [@faisal-alvi](https://github.com/faisal-alvi), [@dkotter](https://github.com/dkotter), [@ravinderk](https://github.com/ravinderk) via [#79](https://github.com/10up/safe-svg/pull/79), [#145](https://github.com/10up/safe-svg/pull/145)).
- Spacing and color controls added to SVG block (props [@bmarshall511](https://github.com/bmarshall511), [@iamdharmesh](https://github.com/iamdharmesh) via [#135](https://github.com/10up/safe-svg/pull/135)).
- Mochawesome reporter added for Cypress test report (props [@jayedul](https://github.com/jayedul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#124](https://github.com/10up/safe-svg/pull/124)).

### Changed
- Update [Support Level](https://github.com/10up/safe-svg#support-level) from `Active` to `Stable` (props [@Sidsector9](https://github.com/Sidsector9), [@iamdharmesh](https://github.com/iamdharmesh) via [#100](https://github.com/10up/safe-svg/pull/100)).
- Update name of SVG block from Safe SVG Icon to Inline SVG (props [@bmarshall511](https://github.com/bmarshall511), [@iamdharmesh](https://github.com/iamdharmesh) via [#135](https://github.com/10up/safe-svg/pull/135)).
- Bump WordPress "tested up to" version 6.3 (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#144](https://github.com/10up/safe-svg/pull/144)).
- Update the Dependency Review GitHub Action (props [@jeffpaul](https://github.com/jeffpaul), [@Sidsector9](https://github.com/Sidsector9) via [#128](https://github.com/10up/safe-svg/pull/128)).

### Fixed
- Add namespace to the `class_exists` check (props [@szepeviktor](https://github.com/szepeviktor), [@iamdharmesh](https://github.com/iamdharmesh) via [#120](https://github.com/10up/safe-svg/pull/120)).
- Ensure Sanitizer class is properly imported (props [@szepeviktor](https://github.com/szepeviktor), [@iamdharmesh](https://github.com/iamdharmesh) via [#121](https://github.com/10up/safe-svg/pull/121)).
- Remove an unneeded global (props [@szepeviktor](https://github.com/szepeviktor), [@iamdharmesh](https://github.com/iamdharmesh) via [#122](https://github.com/10up/safe-svg/pull/122)).
- Use absolute path in require (props [@szepeviktor](https://github.com/szepeviktor), [@iamdharmesh](https://github.com/iamdharmesh) via [#123](https://github.com/10up/safe-svg/pull/123)).
- Ensure custom classname added to SVG block is output on the front-end (props [@bmarshall511](https://github.com/bmarshall511), [@Sidsector9](https://github.com/Sidsector9), [@dkotter](https://github.com/dkotter) via [#130](https://github.com/10up/safe-svg/pull/130)).
- Ensure `SimpleXML` exists before using it (props [@sdmtt](https://github.com/sdmtt), [@faisal-alvi](https://github.com/faisal-alvi) via [#140](https://github.com/10up/safe-svg/pull/140)).
- Fix markdown issues in the readme (props [@szepeviktor](https://github.com/szepeviktor), [@iamdharmesh](https://github.com/iamdharmesh) via [#119](https://github.com/10up/safe-svg/pull/119)).

### Security
- Bump `semver` from 5.7.1 to 5.7.2 (props [@dependabot](https://github.com/apps/dependabot) via [#134](https://github.com/10up/safe-svg/pull/134)).
- Bump `word-wrap` from 1.2.3 to 1.2.5 (props [@dependabot](https://github.com/apps/dependabot) via [#141](https://github.com/10up/safe-svg/pull/141)).
- Bump `tough-cookie` from 4.1.2 to 4.1.3 and `@cypress/request` from 2.88.10 to 2.88.12 (props [@dependabot](https://github.com/apps/dependabot) via [#146](https://github.com/10up/safe-svg/pull/146)).

## [2.1.1] - 2023-04-05
### Changed
- Upgrade `@wordpress` npm package dependencies (props [@ggutenberg](https://github.com/ggutenberg), [@Sidsector9](https://github.com/Sidsector9) via [#108](https://github.com/10up/safe-svg/pull/108)).
Expand Down Expand Up @@ -259,6 +286,7 @@ All notable changes to this project will be documented in this file, per [the Ke
- Initial Release.

[Unreleased]: https://github.com/10up/safe-svg/compare/trunk...develop
[2.2.0]: https://github.com/10up/safe-svg/compare/2.1.1...2.2.0
[2.1.1]: https://github.com/10up/safe-svg/compare/2.1.0...2.1.1
[2.1.0]: https://github.com/10up/safe-svg/compare/2.0.3...2.1.0
[2.0.3]: https://github.com/10up/safe-svg/compare/2.0.2...2.0.3
Expand Down
2 changes: 1 addition & 1 deletion CREDITS.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo

Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.

[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Torsten Landsiedel (@Zodiac1978)](https://github.com/Zodiac1978), [Axel DUCORON (@aksld)](https://github.com/aksld), [Mario Rader (@r8r)](https://github.com/r8r), [Jeremy Turowetz (@jerturowetz)](https://github.com/jerturowetz), [Robert O'Rourke (@roborourke)](https://github.com/roborourke), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Adam Wills (@AdamWills)](https://github.com/AdamWills), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Cory Hughart (@cr0ybot)](https://github.com/cr0ybot), [Cory Birdsong (@cbirdsong)](https://github.com/cbirdsong), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Garth Gutenberg (@ggutenberg)](https://github.com/ggutenberg), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Marcel Freinbichler (@freinbichler)](https://github.com/freinbichler), [IanDelMar (@IanDelMar)](https://github.com/IanDelMar), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk).
[Daryll Doyle (@darylldoyle)](https://github.com/darylldoyle), [Lewis Cowles (@LewisCowles1986)](https://github.com/LewisCowles1986), [Daniel M. Hendricks (@dmhendricks)](https://github.com/dmhendricks), [Dan Pock (@mallardduck)](https://github.com/mallardduck), [K. Adam White (@kadamwhite)](https://github.com/kadamwhite), [Joe Hoyle (@joehoyle)](https://github.com/joehoyle), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Brandon Berg (@BBerg10up)](https://github.com/BBerg10up), [Max Lyuchin (@cadic)](https://github.com/cadic), [Mehidi Hassan (@mehidi258)](https://github.com/mehidi258), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Timothy Decker (@amdd-tim)](https://github.com/amdd-tim), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [Mehul Kaklotar (@mehulkaklotar)](https://github.com/mehulkaklotar), [@smerriman](https://github.com/smerriman), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Manuel Friedli (@fritteli)](https://github.com/fritteli), [David Hamann (@davidhamann)](https://github.com/davidhamann), [@j-hoffmann](https://github.com/j-hoffmann), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Torsten Landsiedel (@Zodiac1978)](https://github.com/Zodiac1978), [Axel DUCORON (@aksld)](https://github.com/aksld), [Mario Rader (@r8r)](https://github.com/r8r), [Jeremy Turowetz (@jerturowetz)](https://github.com/jerturowetz), [Robert O'Rourke (@roborourke)](https://github.com/roborourke), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Adam Wills (@AdamWills)](https://github.com/AdamWills), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Cory Hughart (@cr0ybot)](https://github.com/cr0ybot), [Cory Birdsong (@cbirdsong)](https://github.com/cbirdsong), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Garth Gutenberg (@ggutenberg)](https://github.com/ggutenberg), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [Marcel Freinbichler (@freinbichler)](https://github.com/freinbichler), [IanDelMar (@IanDelMar)](https://github.com/IanDelMar), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Santiago Dimattia (@sdmtt)](https://github.com/sdmtt), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Curtis Loisel (@csloisel)](https://github.com/csloisel), [Giorgos Sarigiannidis (@gsarig)](https://github.com/gsarig).

## Libraries

Expand Down
60 changes: 36 additions & 24 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,16 @@
# Safe SVG

> Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website
[![Support Level](https://img.shields.io/badge/support-active-green.svg)](#support-level) [![Release Version](https://img.shields.io/github/release/10up/safe-svg.svg)](https://github.com/10up/safe-svg/releases/latest) ![WordPress tested up to version](https://img.shields.io/wordpress/plugin/tested/safe-svg?label=WordPress) [![GPLv2 License](https://img.shields.io/github/license/10up/safe-svg.svg)](https://github.com/10up/safe-svg/blob/develop/LICENSE.md)
[![Dependency Review](https://github.com/10up/safe-svg/actions/workflows/dependency-review.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/dependency-review.yml) [![E2E test](https://github.com/10up/safe-svg/actions/workflows/cypress.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/cypress.yml) [![PHP Compatibility](https://github.com/10up/safe-svg/actions/workflows/php-compatibility.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/php-compatibility.yml) [![PHPCS](https://github.com/10up/safe-svg/actions/workflows/phpcs.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/phpcs.yml) [![PHPUnit](https://github.com/10up/safe-svg/actions/workflows/phpunit.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/phpunit.yml)
> Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.
[![Support Level](https://img.shields.io/badge/support-stable-blue.svg)](#support-level)
[![Release Version](https://img.shields.io/github/release/10up/safe-svg.svg)](https://github.com/10up/safe-svg/releases/latest)
![WordPress tested up to version](https://img.shields.io/wordpress/plugin/tested/safe-svg?label=WordPress)
[![GPLv2 License](https://img.shields.io/github/license/10up/safe-svg.svg)](https://github.com/10up/safe-svg/blob/develop/LICENSE.md)
[![Dependency Review](https://github.com/10up/safe-svg/actions/workflows/dependency-review.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/dependency-review.yml)
[![E2E test](https://github.com/10up/safe-svg/actions/workflows/cypress.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/cypress.yml)
[![PHP Compatibility](https://github.com/10up/safe-svg/actions/workflows/php-compatibility.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/php-compatibility.yml)
[![PHPCS](https://github.com/10up/safe-svg/actions/workflows/phpcs.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/phpcs.yml)
[![PHPUnit](https://github.com/10up/safe-svg/actions/workflows/phpunit.yml/badge.svg)](https://github.com/10up/safe-svg/actions/workflows/phpunit.yml)

## Overview

Expand All @@ -12,17 +19,18 @@ Safe SVG is the best way to Allow SVG Uploads in WordPress!
It gives you the ability to allow SVG uploads whilst making sure that they're sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.

### Current Features

* **Sanitised SVGs** - Don't open up security holes in your WordPress site by allowing uploads of unsanitised files.
* **SVGO Optimisation** - Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code: `add_filter( 'safe_svg_optimizer_enabled', '__return_true' );`
* **View SVGs in the Media Library** - Gone are the days of guessing which SVG is the correct one, we'll enable SVG previews in the WordPress media library.

### Features on the Roadmap
* **SVGO Optimisation** - You'll have the option to run your SVGs through our SVGO server on upload to save you space.
* **Choose Who Can Upload** - Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.

Initially a proof of concept for [#24251](https://core.trac.wordpress.org/ticket/24251).

SVG Sanitization is done through the following library: [https://github.com/darylldoyle/svg-sanitizer](https://github.com/darylldoyle/svg-sanitizer).

SVG Optimization is done through the following library: [https://github.com/svg/svgo](https://github.com/svg/svgo).

## Requirements

* PHP 7.4+
Expand All @@ -39,42 +47,46 @@ Install through the WordPress directory or download, unzip and upload the files
Yes, this can be done using the `svg_allowed_attributes` and `svg_allowed_tags` filters.
They take one argument that must be returned. See below for examples:

add_filter( 'svg_allowed_attributes', function ( $attributes ) {
```php
add_filter( 'svg_allowed_attributes', function ( $attributes ) {

// Do what you want here...
// Do what you want here...

// This should return an array so add your attributes to
// to the $attributes array before returning it. E.G.
// This should return an array so add your attributes to
// to the $attributes array before returning it. E.G.

$attributes[] = 'target'; // This would allow the target="" attribute.
$attributes[] = 'target'; // This would allow the target="" attribute.

return $attributes;
} );
return $attributes;
} );


add_filter( 'svg_allowed_tags', function ( $tags ) {
add_filter( 'svg_allowed_tags', function ( $tags ) {

// Do what you want here...
// Do what you want here...

// This should return an array so add your tags to
// to the $tags array before returning it. E.G.
// This should return an array so add your tags to
// to the $tags array before returning it. E.G.

$tags[] = 'use'; // This would allow the <use> element.
$tags[] = 'use'; // This would allow the <use> element.

return $tags;
} );
return $tags;
} );
```

## Support Level

**Active:** 10up is actively working on this, and we expect to continue work for the foreseeable future including keeping tested up to the most recent version of WordPress. Bug reports, feature requests, questions, and pull requests are welcome.
**Stable:** 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.

## Changelog

A complete listing of all notable changes to Safe SVG are documented in [CHANGELOG.md](https://github.com/10up/safe-svg/blob/develop/CHANGELOG.md).
A complete listing of all notable changes to Safe SVG are documented in [CHANGELOG.md](CHANGELOG.md).

## Contributing

Please read [CODE_OF_CONDUCT.md](https://github.com/10up/safe-svg/blob/develop/CODE_OF_CONDUCT.md) for details on our code of conduct, [CONTRIBUTING.md](https://github.com/10up/safe-svg/blob/develop/CONTRIBUTING.md) for details on the process for submitting pull requests to us, and [CREDITS.md](https://github.com/10up/safe-svg/blob/develop/CREDITS.md) for a listing of maintainers of, contributors to, and libraries used by Safe SVG.
Please read [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) for details on our code of conduct,
[CONTRIBUTING.md](CONTRIBUTING.md) for details on the process for submitting pull requests to us,
and [CREDITS.md](CREDITS.md) for a listing of maintainers of, contributors to, and libraries used by Safe SVG.

## Like what you see?

Expand Down
Loading

0 comments on commit 413ca06

Please sign in to comment.