Download executable code via <img> or <a> tags?

Question

Download executable code via <img> or <a> tags?

I am working on an application that will allow people to enter an arbitrary URL to be included in <a href="ARBITRARY URL">and tags <img src="ARBITRARY URL" />.

What types of security risks are I viewing?

The application is encoded in PHP, and the only security measure I am currently implementing is PHP htmlentities () against the input URL before sending it as HTML. I also check that the text of the URL starts with http://or https://, but I do not know if this has achieved anything, security.

What else should I do to ensure the safety of my end users?

+5

javascript security php image xss

Dolph Nov 09 '09 at 21:48

source share

7 answers

Would you like to read about XSS (cross-site scripting) and XSRF (fake cross-site request)

EDIT: As ryeguy pointed out , you can pretty much copy and paste any of the examples into the XSS (Cross Site Scripting) Cheat Sheet and look for the best way to prevent them accordingly.

+2

Alex bagnolini Nov 09 '09 at 21:54

source share

, img

+2

pablasso 09 . '09 21:57

, javascript, . . http://www.thinkfu.com/blog/?p=15

SVG (mime-type image/svg + xml) javascript. . http://www.w3.org/TR/SVG/interact.html

+2

Mike Samuel 10 . '09 2:29

, URL-, . , - - , , , - .

, , ? .

+1

Pekka 웃 09 . '09 22:01

CSRF:

<img src="http://example.org/accounts/123/delete" />

+1

orip 09 . '09 22:02

, - xss , onmouseover onhover .. - javascript, - .

0

Collin Nov 11 '09 at 19:05

source share

ryeguy · Accepted Answer · 2009-11-09T21:57:22+0000

See the XSS Checklist .

Download executable code via <img> or <a> tags?

More articles: