Safe SVG Reviews, Downloads & Maintenance

Back to plugins

Homepage WordPress

Actions

Download Author page See on WordPress

Plugin info

Total downloads: 12,354,839

Active installs: 1,000,000

Total reviews: 76

Average rating: 4.9

Support threads opened: 1

Support threads resolved: 0 (0%)

Available in: 32 language(s)

Contributors: 6

Last updated: 9/22/2025 (98 days ago)

Added to WordPress: 7/3/2015 (10 years old)

Minimum WordPress version: 6.6

Tested up to WordPress version: 6.8.3

Minimum PHP version: 7.4

Maintenance & Compatibility

Maintenance score

Maintained • Last updated 98 days ago • Support resolved 0% • 76 reviews

46/100

Is Safe SVG abandoned?

Likely maintained (last update 98 days ago).

Compatibility

Requires WordPress: 6.6

Tested up to: 6.8.3

Requires PHP: 7.4

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

No similar plugins found yet.

See more alternatives to Safe SVG

Description

Safe SVG is the best way to Allow SVG Uploads in WordPress!

It gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.

Current Features

Sanitised SVGs – Don’t open up security holes in your WordPress site by allowing uploads of unsanitised files.
SVGO Optimisation – Runs your SVGs through the SVGO tool on upload to save you space. This feature is disabled by default but can be enabled by adding the following code: add_filter( 'safe_svg_optimizer_enabled', '__return_true' );
View SVGs in the Media Library – Gone are the days of guessing which SVG is the correct one, we’ll enable SVG previews in the WordPress media library.
Choose Who Can Upload – Restrict SVG uploads to certain users on your WordPress site or allow anyone to upload.

Initially a proof of concept for #24251.

SVG Sanitization is done through the following library: https://github.com/darylldoyle/svg-sanitizer.

SVG Optimization is done through the following library: https://github.com/svg/svgo.

Installation

Install through the WordPress directory or download, unzip and upload the files to your /wp-content/plugins/ directory

Frequently Asked Questions

Can we change the allowed attributes and tags?

Yes, this can be done using the svg_allowed_attributes and svg_allowed_tags filters.
They take one argument that must be returned. See below for examples:

add_filter( 'svg_allowed_attributes', function ( $attributes ) {

    // Do what you want here...

    // This should return an array so add your attributes to
    // to the $attributes array before returning it. E.G.

    $attributes[] = 'target'; // This would allow the target="" attribute.

    return $attributes;
} );


add_filter( 'svg_allowed_tags', function ( $tags ) {

    // Do what you want here...

    // This should return an array so add your tags to
    // to the $tags array before returning it. E.G.

    $tags[] = 'use'; // This would allow the <use> element.

    return $tags;
} );

Review feed

Cory Hughart

2/14/2022

Agency go-to for SVG uploads

Our agency has a talented illustrator who is adept at creating SVGs, particularly with self-contained CSS animations. We would be loading them all manually from the theme folder with no path to easily add new or replace existing SVGs without developer involvement if it weren't for this plugin. We install Safe SVG on pretty much all sites we custom build for our clients. I'm really hoping for some additional features to come to this plugin to better support the Gutenberg editor, since the core image block doesn't handle SVGs well. But that doesn't affect my 5-star review as the most reliable SVG upload plugin.

Gwyneth Llewelyn

2/23/2022

Incredibly useful!

Why Automattic hates SVG has always been a source of confusion to me. Why shouldn't uploading SVG be as easy and straightforward as any other kind of (supported) image? Then again, it's true that you can write malicious code inside a SVG rather easily. The solution? Safe SVG. It cleans up a malformed or malicious SVG during the upload, so that when it arrives in your Media Library, it will already have been sanitised. The plugin is as simple to operate as it is useful. All parts of WP that require opening the Media Library browser will now accept SVGs as well. As others have remarked, there are some outstanding issues when previewing SVGs inside Gutenberg. No surprises there — this plugin has predated Gutenberg, and (at the time of writing) has been abandoned for about two years, during which Automattic has been eagerly upgrading WordPress. The author has not gone away, though. He is still actively developing the sanitising part of the plugin, using a library he has developed and posted on GitHub, and which has accepted several contributions and gone through many code reviews. It's possibly the reference library for SVG sanitation written in PHP. And fortunately he's now back and has released a brand new version as of late February 2022 :)

Blockify

4/1/2022

Why is this not a part of core?

Great plugin, does what it says. Should be core functionality.

Stefano

4/30/2025

Wonderful + fetaure request

Great plugin! very usefull, but please can you add the possibility to add an inline SVG on the block pasting svg code? Thanks!

Screenshots

No screenshots available

Changelog

2.4.0 – 2025-09-22

Added: Ability to upload SVGs from more admin locations (props @stormrockwell, @darylldoyle, @wpexplorer, @smerriman, @jeffpaul, @dkotter via #279).
Changed: Added $attachment_id argument to filters safe_svg_use_width_height_attributes and safe_svg_dimensions (props @roborourke, @dkotter via #278).
Fixed: Inconsistent or incorrect data type for $svg argument in the filters safe_svg_use_width_height_attributes and safe_svg_dimensions (props @roborourke, @dkotter via #278).

2.3.3 – 2025-08-13

Security: Update the enshrined/svg-sanitize package from 0.19.0 to 0.22.0 to fix an issue with case-insensitive attributes slipping through the sanitiser and address PHP 8.4 deprecation warnings (props @darylldoyle, @sudar, @georgestephanis, @dkotter, @realazizk via #268, #272).
Security: Bump form-data from 4.0.0 to 4.0.4 (props @dependabot, @faisal-alvi via #270).
Security: Bump tmp from 0.2.3 to 0.2.5 and @inquirer/editor from 4.2.9 to 4.2.16 (props @dependabot, @dkotter via #271).

2.3.2 – 2025-07-21

Fixed: Visual parity between the front end and the block editor (props @s3rgiosan, @dkotter via #261, #266).
Changed: Bump WordPress “tested up to” version 6.8 (props @godleman, @jeffpaul, @dkotter via #251, #254).
Changed: Bump WordPress minimum supported version to 6.6 (props @godleman, @jeffpaul, @dkotter via #254).
Security: Bump ws from 7.5.10 to 8.18.0, @wordpress/scripts from 27.9.0 to 30.6.0, nanoid from 3.3.7 to 3.3.8 and mocha from 10.2.0 to 11.0.1 (props @dependabot, @peterwilsoncc via #245).
Security: Bump @babel/runtime from 7.23.9 to 7.27.0, axios from 1.7.4 to 1.8.4, cookie from 0.4.2 to 0.7.1, express from 4.21.0 to 4.21.2 and @wordpress/e2e-test-utils-playwright from 0.26.0 to 1.20.0 (props @dependabot, @dkotter via #250).
Security: Bump http-proxy-middleware from 2.0.6 to 2.0.9 (props @dependabot, @iamdharmesh via #253).
Security: Bump tar-fs from 3.0.8 to 3.0.9 (props @dependabot, @dkotter via #258).
Security: Bump bytes from 3.0.0 to 3.1.2 and compression from 1.7.4 to 1.8.1 (props @dependabot, @dkotter via #265).

2.3.1 – 2024-12-05

Fixed: Revert changes made to how we determine custom dimensions for SVGs (props @dkotter, @martinpl, @subfighter3, @smerriman, @gigatyrant, @jeffpaul, @iamdharmesh via #238).

2.3.0 – 2024-11-25

Added: New setting that allows large SVG files (roughly 10MB or greater) to be uploaded and sanitized properly (props @kirtangajjar, @faisal-alvi, @darylldoyle, @manojsiddoji, @dkotter via #201).
Added: New get_svg_dimensions function in order to reduce code duplication (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216).
Changed: Updated the enshrined/svg-sanitize package from 0.16.0 to 0.19.0 to fix a PHP 8.3 compatibility issue (props @sksaju, @TylerB24890, @darylldoyle, @rolf-yoast, @faisal-alvi via #214).
Changed: Update how image dimensions are passed in get_image_tag_override and one_pixel_fix methods (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216).
Changed: Bump WordPress “tested up to” version to 6.7 (props @colinswinney, @jeffpaul via #232, #233).
Changed: Bump WordPress minimum from 6.4 to 6.5 (props @colinswinney, @jeffpaul via #232, #233).
Changed: Remove composer dev dependencies from archived project (props @TylerB24890, @szepeviktor, @peterwilsoncc via #220).
Fixed: Use proper block category for the Safe SVG Icon block (props @kirtangajjar, @fabiankaegy via #226).
Security: Only allow SVG file types to be uploaded if our sanitizer is able to run on those files (props @darylldoyle, @xknown, @dkotter via #228).
Security: Bump webpack from 5.90.1 to 5.94.0 (props @dependabot, @peterwilsoncc via #222).
Security: Bump ws from 7.5.10 to 8.18.0, serve-static from 1.15.0 to 1.16.2 and express from 4.19.2 to 4.21.0 (props @dependabot, @Sidsector9, @faisal-alvi via #227, #230, #234).

2.2.6 – 2024-08-28

Changed: Bump WordPress “tested up to” version to 6.6 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
Changed: Bump WordPress minimum from 5.7 to 6.4 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
Security: Add svg sanitization on the wp_handle_sideload_prefilter filter (props @dkotter, @xknown, @iamdharmesh via GHSA-3vr7-86pg-hf4g).
Security: Bump braces from 3.0.2 to 3.0.3, pac-resolver from 7.0.0 to 7.0.1, socks from 2.7.1 to 2.8.3, ws from 7.5.9 to 7.5.10 and remove ip (props @dependabot, @Sidsector9 via #206).
Security: Bump axios from 1.6.7 to 1.7.4 (props @dependabot, @faisal-alvi via #218).

View historical changelog details here.