Menu
After reading http://dsecrg.com/files/pub/pdf/XSS_in_images_evasion_bypass_(eng).pdf, it is clear that allowing image uploads from users opens you to XSS attacks.
I wasn't able to find any PHP examples of how to screen an uploaded image for XSS attacks.
I found one for CodeIgniter, which I am using. The function is xss_clean($file, IS_IMAGE), but there is only 1 sentence of documentation for it, so I have no idea how it works and a comment in their forum said it had an unreasonably high rate of false positives, so it's not usable in production.
What do you recommend to prevent XSS attacks within an uploaded image?
932
As long as you keep the extension correct (and your users are diligent about updating their browser) image injection should not be possible.
For instance, if someone uploads alert('xss'); as an image and you have <img src='that-image.png'>, it will be emitted as a png and the JavaScript won't execute (at least back to IE7). What's important is that you rename the images appropriately.
If you have php > 5.3 and the finfo PECL extension, you can use it to get the mime type of the file and have a whitelist of types you will allow (png, jpg, gif I would imagine). If you are on a Linux machine, file may help you with that as well.
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
