Geek asks and answers

Use PHP to prevent XSS attacks inside the image

After reading http://dsecrg.com/files/pub/pdf/XSS_in_images_evasion_bypass_(eng).pdf it is clear that permission to download images from users opens you with XSS attacks.

I was unable to find PHP examples of how to display the uploaded image for XSS attacks.

I found one for CodeIgniter that I use. A function xss_clean($file, IS_IMAGE), but for it there is only 1 sentence of documentation, so I have no idea how it works, and a comment on their forum suggests that it has an unreasonably high level of false positives, so it cannot be used in production.

What do you recommend to prevent XSS attacks in the uploaded image?

+5
source share
2 answers

As long as you hold the extension correctly (and your users carefully update their browser), image injection should not be possible.

For example, if someone uploads alert('xss');as an image, and you have it <img src='that-image.png'>, it will be released as png, and JavaScript will not execute (at least back in IE7). The important thing is that you rename images correctly.

If you have php> 5.3 and the finfoPECL extension , you can use it to get the type of mime file and have a white list of types that you allow (png, jpg, gif, I would imagine). If you are on a Linux machine, it filecan help you with that.

+4
source

CodeIgniter XSS. → post ('data', true). - XSS bool.

, HTML IMG. CodeIgniter, , .

!

0

More articles:


All Articles