用户可以在<img> src 属性?
[英]What malicious things can a user do in an <img> src attribute?
问题描述
I'm working on an application where users can provide a url to be used as the src in an <img> element.
我正在开发一个应用程序,用户可以提供 url 用作 <img> 元素中的src 。
What kind of things do I need to look out for to make sure a malicious user can't exploit this feature?我需要注意哪些事项才能确保恶意用户无法利用此功能? I'm already escaping the HTML characters (replacing " with " and so on).我已经是 escaping HTML 字符(用“替换”等)。
I'd like to know things like whether JavaScript be run from an <img> src attribute and other lesser-known dangers.我想知道诸如 JavaScript 是否可以从 <img> src 属性和其他鲜为人知的危险中运行。
1 个解决方案
解决方案1
1 已采纳 2020-05-10 04:34:26
I would think the biggest danger here would simply come from the actual image the user chooses.我认为这里最大的危险只是来自用户选择的实际图像。 You may want to blacklist certain domains or give the user some acceptable-use information before they choose an image, ensuring they don't display adult or otherwise NSFW content to other users.您可能希望在用户选择图像之前将某些域列入黑名单或提供一些可接受的使用信息,以确保他们不会向其他用户显示成人或其他 NSFW 内容。 Parsing the URI they provide and systematically building the image tag is the best way to make sure they can't game the system in any way.解析他们提供的 URI 并系统地构建图像标签是确保他们无法以任何方式欺骗系统的最佳方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.