The decision to include support for svg files by default in JCE 2.6.25 was unfortunately not well thought through. It has been brought to my attention that there is the potential for svg files to be used to execute cross-site scripting attacks, due to the fact that they are essentially a form of xml file. Although the method by which they would be embedded using the Image Manager, with the <img> tag, prevents scripts from being executed, it would be safer to restrict the option of allowing svg files to be user defined.
Thank you to David Jardin for notifying me of this issue. If you find any more issues please submit them on the forum or on github.
Download and Installation
JCE Pro is available for download with a JCE Pro Subscription. If you already have a subscription, please make sure you set your key before updating to JCE Pro 2.6.26
Instructions for installing and updating JCE for each Joomla version are available here
https://www.joomlacontenteditor.net is not affiliated with or endorsed by the Joomla! Project or Open Source Matters. The Joomla! name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries