SVG analysis
All SVG files introduced or altered in pull requests are scanned by an SVG scanner maintained by VIP. The scanner will flag any non-whitelisted attributes or tags and report them in the automated code review by the VIP Code Analysis Bot.
The Bot enables analysis of SVG files by default to look for any attributes related to security risks. SVG files are not regular images, but rather XML files that can contain valid XML markup and even HTML markup, some of which can cause potential security issues such as:
- Allowed
<iframe>
elements that can refer to external content. - Allowed
<script>
tags, a valid part of SVG markup, that can embed JavaScript. - An SVG can also reference an external SVG, which is embedded in the former SVG file.
VIP recommends that all SVG attributes and elements noted by the Bot are carefully evaluated using Mozilla’s MDN Web Docs on SVG elements and attributes, their purpose, and how they are used in SVG files.
Skip SVG analysis
To skip SVG analysis of specific directories, add a file named .vipgoci_svg_skip_folders
to the root of the application’s wpcomvip GitHub repository. Directories listed in this file, and the files that exist within them, will be ignored by SVG analysis scanning.
Last updated: December 22, 2023