SVG files are very popular. Their vector-based nature allows them to be scaled and smaller than PNG, JPG, and WebP files. Surprisingly, SVG files don’t work in WordPress. SVG files are used for logos or favicons commonly. However, WordPress users are using plugins to upload SVG files to their media libraries. These plugins have more than 1.5 million downloads. SVG files are SEO-friendly as well because they can be stored in XML text files.
Security issues
During the latest WordPress Performance Team meeting, the contributors discussed a new module for SVG uploads. Contributor masteradhoc said,
« This is one of the bigger achievable pain points that I see in WP, as the vectorized format is quite popular for logos, icons, and illustrations. SVG is widely supported and has been for some time. A lot of concerns have been raised in the original Trac ticket about this in terms of security, as SVGs could include scripts, which is a security concern. The proposal only allows for SVGs to be uploaded if they do not contain scripts. »
SVG files can contain Javascript and it is a security concern. The WordPress Performance Team will focus on creating a module allowing users to upload SVG files with scripts. Initially, the team will focus on allowing users to SVG files with an SVG sanitizer library and provide an SVG preview in the media library. While the majority of developers showed their support for the proposal, some also stated that WordPress Core may not has the necessary tools to check scripts in an SVG file, but an action or a filter can be added. Flixos90 said,
« Supportive of a Performance Lab module for this. Given that there are reliable approaches out there already for stripping scripts from SVGs, would be realistic to get this as a module fairly quickly and then get some testing. 6.2 for core merge would be a realistic goal. »
The WordPress Performance Team has recently discussed WebP implementation for WordPress 6.1 as well. There are also some concerns around WebP and its storage requirement. However, the team has revised its WebP plan to take necessary measures for this issue.