Safe SVG

2.4.0 – 2025-09-22

• Added: Ability to upload SVGs from more admin locations (props @stormrockwell, @darylldoyle, @wpexplorer, @smerriman, @jeffpaul, @dkotter via #279).
• Changed: Added $attachment_id argument to filters safe_svg_use_width_height_attributes and safe_svg_dimensions (props @roborourke, @dkotter via #278).
• Fixed: Inconsistent or incorrect data type for $svg argument in the filters safe_svg_use_width_height_attributes and safe_svg_dimensions (props @roborourke, @dkotter via #278).

2.3.3 – 2025-08-13

• Security: Update the enshrined/svg-sanitize package from 0.19.0 to 0.22.0 to fix an issue with case-insensitive attributes slipping through the sanitiser and address PHP 8.4 deprecation warnings (props @darylldoyle, @sudar, @georgestephanis, @dkotter, @realazizk via #268, #272).
• Security: Bump form-data from 4.0.0 to 4.0.4 (props @dependabot, @faisal-alvi via #270).
• Security: Bump tmp from 0.2.3 to 0.2.5 and @inquirer/editor from 4.2.9 to 4.2.16 (props @dependabot, @dkotter via #271).

2.3.2 – 2025-07-21

• Fixed: Visual parity between the front end and the block editor (props @s3rgiosan, @dkotter via #261, #266).
• Changed: Bump WordPress “tested up to” version 6.8 (props @godleman, @jeffpaul, @dkotter via #251, #254).
• Changed: Bump WordPress minimum supported version to 6.6 (props @godleman, @jeffpaul, @dkotter via #254).
• Security: Bump ws from 7.5.10 to 8.18.0, @wordpress/scripts from 27.9.0 to 30.6.0, nanoid from 3.3.7 to 3.3.8 and mocha from 10.2.0 to 11.0.1 (props @dependabot, @peterwilsoncc via #245).
• Security: Bump @babel/runtime from 7.23.9 to 7.27.0, axios from 1.7.4 to 1.8.4, cookie from 0.4.2 to 0.7.1, express from 4.21.0 to 4.21.2 and @wordpress/e2e-test-utils-playwright from 0.26.0 to 1.20.0 (props @dependabot, @dkotter via #250).
• Security: Bump http-proxy-middleware from 2.0.6 to 2.0.9 (props @dependabot, @iamdharmesh via #253).
• Security: Bump tar-fs from 3.0.8 to 3.0.9 (props @dependabot, @dkotter via #258).
• Security: Bump bytes from 3.0.0 to 3.1.2 and compression from 1.7.4 to 1.8.1 (props @dependabot, @dkotter via #265).

2.3.1 – 2024-12-05

• Fixed: Revert changes made to how we determine custom dimensions for SVGs (props @dkotter, @martinpl, @subfighter3, @smerriman, @gigatyrant, @jeffpaul, @iamdharmesh via #238).

2.3.0 – 2024-11-25

• Added: New setting that allows large SVG files (roughly 10MB or greater) to be uploaded and sanitized properly (props @kirtangajjar, @faisal-alvi, @darylldoyle, @manojsiddoji, @dkotter via #201).
• Added: New get_svg_dimensions function in order to reduce code duplication (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216).
• Changed: Updated the enshrined/svg-sanitize package from 0.16.0 to 0.19.0 to fix a PHP 8.3 compatibility issue (props @sksaju, @TylerB24890, @darylldoyle, @rolf-yoast, @faisal-alvi via #214).
• Changed: Update how image dimensions are passed in get_image_tag_override and one_pixel_fix methods (props @gabriel-glo, @jeremymoore, @darylldoyle, @iamdharmesh, @dkotter via #216).
• Changed: Bump WordPress “tested up to” version to 6.7 (props @colinswinney, @jeffpaul via #232, #233).
• Changed: Bump WordPress minimum from 6.4 to 6.5 (props @colinswinney, @jeffpaul via #232, #233).
• Changed: Remove composer dev dependencies from archived project (props @TylerB24890, @szepeviktor, @peterwilsoncc via #220).
• Fixed: Use proper block category for the Safe SVG Icon block (props @kirtangajjar, @fabiankaegy via #226).
• Security: Only allow SVG file types to be uploaded if our sanitizer is able to run on those files (props @darylldoyle, @xknown, @dkotter via #228).
• Security: Bump webpack from 5.90.1 to 5.94.0 (props @dependabot, @peterwilsoncc via #222).
• Security: Bump ws from 7.5.10 to 8.18.0, serve-static from 1.15.0 to 1.16.2 and express from 4.19.2 to 4.21.0 (props @dependabot, @Sidsector9, @faisal-alvi via #227, #230, #234).

2.2.6 – 2024-08-28

• Changed: Bump WordPress “tested up to” version to 6.6 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
• Changed: Bump WordPress minimum from 5.7 to 6.4 (props @sudip-md, @ankitguptaindia, @jeffpaul via #212, #213).
• Security: Add svg sanitization on the wp_handle_sideload_prefilter filter (props @dkotter, @xknown, @iamdharmesh via GHSA-3vr7-86pg-hf4g).
• Security: Bump braces from 3.0.2 to 3.0.3, pac-resolver from 7.0.0 to 7.0.1, socks from 2.7.1 to 2.8.3, ws from 7.5.9 to 7.5.10 and remove ip (props @dependabot, @Sidsector9 via #206).
• Security: Bump axios from 1.6.7 to 1.7.4 (props @dependabot, @faisal-alvi via #218).

View historical changelog details here.