Reputation: 7053
Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code?
I have to process a feed from a data provider, in this feed they provide us with image URL, currently we download them and store them in our own media server, but I was wondering if it was safe to simply get the url and output it directly in the html as the src attribute of an img tag.
My main concern is if this exposes us to the possibility of someone placing files under that URL which would could run malicious scripts/ do something other than render an image (or fail to render an image if it isn't one/doesn't exist, which is fine)
Will the img src attribute only render images, or will it download the file specified in the URL to the user's browser regardless of what it is?
I can verify at the import stage that the URL at least appears to be a valid image URL, so it would only ever have .jpg or whatever as an extension, but obviously this might still allow them to redirect to something else.
Upvotes: 1
Views: 1197
Answers (1)
Reputation: 298
Image URLs can of course point to scripts (with some URL rewriting) but there's no risk to get a script run from an image load. URL data is treated as binary image data, not as runnable text/script.
If it's a script, for your browser it's nothing more than a corrupted image file. So, no code injections risk. At least this is what I know.
Upvotes: 3
Related Questions
- Can something "bad" happen via img src?
- Is it safe to use <a href="data; ..."> to display images?
- What malicious things can a user do in an <img> src attribute?
- XSS safe img src insertion
- Would a browser ever try to parse img>
- Can it be dangerous to give access to user output in img src
- Security concerns of embedding a third party image in HTML
- Attacks using data URI scheme and img tags
- Is it safe to let the users provide the link for their image?
- Images with unknown content: Dangerous for a browser?