Use PHP to prevent XSS attacks within an image

Question

After reading http://dsecrg.com/files/pub/pdf/XSS_in_images_evasion_bypass_(eng).pdf, it is clear that allowing image uploads from users opens you to XSS attacks.

I wasn't able to find any PHP examples of how to screen an uploaded image for XSS attacks.

I found one for CodeIgniter, which I am using. The function is xss_clean($file, IS_IMAGE), but there is only 1 sentence of documentation for it, so I have no idea how it works and a comment in their forum said it had an unreasonably high rate of false positives, so it's not usable in production.

What do you recommend to prevent XSS attacks within an uploaded image?

Answer 1

In CodeIgniter there's many way to prevent the XSS. You can enable it when getting the value like ->post('data', true). The second parameter is the XSS bool.

Also, don't use the HTML IMG tag. Use the CodeIgniter one that will clean, look and make it easier to display the image.

Just my two cents!

Answer 2

As long as you keep the extension correct (and your users are diligent about updating their browser) image injection should not be possible.

For instance, if someone uploads alert('xss'); as an image and you have <img src='that-image.png'>, it will be emitted as a png and the JavaScript won't execute (at least back to IE7). What's important is that you rename the images appropriately.

If you have php > 5.3 and the finfo PECL extension, you can use it to get the mime type of the file and have a whitelist of types you will allow (png, jpg, gif I would imagine). If you are on a Linux machine, file may help you with that as well.