Can you add the following restrictions to the Apache configuration for the
openclipart site? It appears that .htaccess does not allow adding these
# Serve HTML as plaintext
AddType text/plain .html .htm .shtml
# Don't run arbitrary PHP code.
php_admin_flag engine off
# Disable other script types
<Files ~ "\.(php|php3|php4|phps|phtml|shtm|shtml|cgi|pl|pm|asp|cfm|js|jse|
deny from all
While we check that uploaded files are .svg's during upload, this would give a
stronger measure of security by preventing them from being executed.
To test the change, this URL: http://openclipart.org/incoming/contact.php
should return the php as non-executed plain text, not as a web page.