Welcome to Geeklog, Anonymous Thursday, December 08 2022 @ 04:22 am EST

Geeklog Forums

Making img tags safe for general use


Status: offline

Turias

Forum User
Full Member
Registered: 10/20/03
Posts: 807
Dirk, you have mentioned on numerous occasions that sites should not allow general users to use <img> tags when they post due to the ability to point the src attribure at dangerous scripts.

Wouldn't it be possible to create an tag like vBulletin does? Geeklog could take the URL between these tags and parse the interior to make sure that the image does not point to a script. If it does, it is removed. If the URL points to a valid image file, only then is it displayed.

Is this possible? Or are there ways to circumvent it?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Turias: Is this possible? Or are there ways to circumvent it?

Possible - sure. What I'm not so sure about is if there are ways to circumvent it.

For example, we had a security problem with the built-in image upload at one point: It was possible to embed a PHP script in an image and use that to do Bad Things on a site (the exploit also involved Internet Explorer's crappy handling of MIME types - can't remember the details now).

Anyway, my point is that you need to think of these kind of things before you add such a feature (PHP wouldn't be a problem, obviously, but what about other scripting languages?).

Yes, I see that there is a need for a way to let normal users add images to their stories. But I'm not sure what the best way would be (and in any case, I think it should be configurable) ...

bye, Dirk
 Quote

All times are EST. The time is now 04:22 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content