Status: offline


Forum User
Full Member
Registered: 10/20/03
Posts: 807
Dirk, you have mentioned on numerous occasions that sites should not allow general users to use <img> tags when they post due to the ability to point the src attribure at dangerous scripts.

Wouldn't it be possible to create an tag like vBulletin does? Geeklog could take the URL between these tags and parse the interior to make sure that the image does not point to a script. If it does, it is removed. If the URL points to a valid image file, only then is it displayed.

Is this possible? Or are there ways to circumvent it?

Status: offline


Site Admin
Registered: 01/12/02
Posts: 13073
Quote by Turias: Is this possible? Or are there ways to circumvent it?

Possible - sure. What I'm not so sure about is if there are ways to circumvent it.

For example, we had a security problem with the built-in image upload at one point: It was possible to embed a PHP script in an image and use that to do Bad Things on a site (the exploit also involved Internet Explorer's crappy handling of MIME types - can't remember the details now).

Anyway, my point is that you need to think of these kind of things before you add such a feature (PHP wouldn't be a problem, obviously, but what about other scripting languages?).

Yes, I see that there is a need for a way to let normal users add images to their stories. But I'm not sure what the best way would be (and in any case, I think it should be configurable) ...

bye, Dirk