Reputation: 229
Attacks using data URI scheme and img tags
Is anyone aware of any security issues with the use of <img src="data:xxxxx"> where the user supplies the content? Assume the content is validated so it fits the format for a data URI so it can't break out of the tag, and is also restricted to image mime types.
http://en.wikipedia.org/wiki/Data_URI_scheme
Upvotes: 2
Views: 1108
Answers (2)
Reputation: 655239
I think this should be secure. As the data URI syntax for images is quite strict:
data:image/<subtype>;base64,<base64-stream>
it would be easy to validate (see for example RegEx to parse or validate Base64 data).
The only vulnerability I can think of is one within the component that parses/renders the image.
Upvotes: 1
Reputation: 27343
There's definitely different code involved, but it's probably not any more attackable than a normal img link.
Upvotes: 2
Related Questions
- Is it safe to use <a href="data; ..."> to display images?
- Image to data uri without base64
- Data Image URI not working
- Are data URIs on <img>s XSS exploitable?
- repeating an embedded data URI image
- Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code?
- Is DataURI instead of images practical for APIs and webservices?
- How to distinguish between a data uri and an image url?
- Determine Image URL From Data URI
- DATA URI format are there sections of importance?