Reputation: 50650
Loading executable code through <img> or <a> tags?
I'm working on an app that would allow people to enter arbitrary URL's that would be included in <a href="ARBITRARY URL"> and <img src="ARBITRARY URL" /> tags.
What type of security risks am I looking at?
The app is coded in PHP, and the only security countermeasure I currently perform is using PHP's htmlentities() function against the input URL before sending it as HTML. I'm also checking to make sure that the URL text starts with either http:// or https:// but I don't know if that's accomplishing anything, security wise.
What else should I be doing to ensure the security of my end users?
Upvotes: 5
Views: 1051
Answers (7)
Reputation: 437
In addition to the great answers so far, the xss cheat sheet doesn't really account for event attributes like onmouseover onhover etc. These are all, by design, to allow someone to run some javascript when something happens.
Upvotes: 0
Reputation: 120506
It is possible to construct an image that is also a valid javascript file, and get a browser to execute it. See http://www.thinkfu.com/blog/?p=15
SVG images (mime-type image/svg+xml) can contain javascript. See http://www.w3.org/TR/SVG/interact.html
Upvotes: 3
Reputation: 22382
You would like to read about XSS (Cross site scripting) and XSRF (Cross site request forgery)
EDIT: As pointed out by ryeguy, you can pretty much copy and paste any of the examples in XSS (Cross Site Scripting) Cheat Sheet and seek the best way to prevent from them accordingly.
Upvotes: 2
Reputation: 449415
In addition, it is possible to insert whole images into URLs using inline data in newer browsers. It might be possible to inject something through there, however that would require a gaping browser-side security hole and I would not know how to sanitize something like that.
Maybe you just want to restrict access to certain domains, or check whether an image physically exists? That might already help a lot.
Upvotes: 1
Reputation: 2499
You should sanitize at all times, img tags are vulnerable to cross-site-scripting
Upvotes: 2
Related Questions
- XSS and echoing <script> tags
- XSS safe img src insertion
- PHP File Inclusion
- Html is <img src="<script>Some javascript</script>" > allowed?
- Cross-site scripting from an Image
- Embedding Javascript Within an Image File
- Inserting php into js file
- Use PHP to prevent XSS attacks within an image
- XSS via img tag, redundant semicolons?
- How do you allow the usage of an <img> while preventing XSS?