Posted on: 12/12/03 11:22am
By: Turias
Dirk, you have mentioned on numerous occasions that sites should not allow general users to use <img> tags when they post due to the ability to point the src attribure at dangerous scripts.
Wouldn't it be possible to create an
tag like vBulletin does? Geeklog could take the URL between these tags and parse the interior to make sure that the image does not point to a script. If it does, it is removed. If the URL points to a valid image file, only then is it displayed.
Is this possible? Or are there ways to circumvent it?
Re:Making img tags safe for general use
Posted on: 12/13/03 05:01pm
By: Dirk
[QUOTE BY= Turias] Is this possible? Or are there ways to circumvent it?[/QUOTE]
Possible - sure. What I'm not so sure about is if there are ways to circumvent it.
For example, we had a security problem with the built-in image upload at one point: It was possible to embed a PHP script in an image and use that to do Bad Things on a site (the exploit also involved Internet Explorer's crappy handling of MIME types - can't remember the details now).
Anyway, my point is that you need to think of these kind of things before you add such a feature (PHP wouldn't be a problem, obviously, but what about other scripting languages?).
Yes, I see that there is a need for a way to let normal users add images to their stories. But I'm not sure what the best way would be (and in any case, I think it should be configurable) ...
bye, Dirk