Reputation: 3547
What malicious things can a user do in an <img> src attribute?
I'm working on an application where users can provide a url to be used as the src in an <img> element.
What kind of things do I need to look out for to make sure a malicious user can't exploit this feature? I'm already escaping the HTML characters (replacing " with " and so on).
I'd like to know things like whether JavaScript be run from an <img> src attribute and other lesser-known dangers.
Upvotes: 2
Views: 427
Answers (1)
Reputation: 329
I would think the biggest danger here would simply come from the actual image the user chooses. You may want to blacklist certain domains or give the user some acceptable-use information before they choose an image, ensuring they don't display adult or otherwise NSFW content to other users. Parsing the URI they provide and systematically building the image tag is the best way to make sure they can't game the system in any way.
Upvotes: 2
Related Questions
- What happens to an img's src after you set it?
- XSS safe img src insertion
- Are data URIs on <img>s XSS exploitable?
- Scope of Javascript inside src attribute of image
- Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code?
- XSS attack with javascript in img src attribute
- how src attribute of img tag is executed?
- Why are javascript: URIs allowed in the src attribute of <img> tags?
- IMG SRC and Javascript
- Do i need to take care when setting src attribute of an image, where src path is specified by user?