diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 15:55:42 -0500 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 15:55:42 -0500 |
commit | 71ccaf07510319a1366cd459295d63a6320c50b0 (patch) | |
tree | 8521e7e957e5482cc4c34cc1fc03534c2d18e529 /doc | |
parent | 6aa25f2757bcecb511b7663ff41d60c221eed509 (diff) |
a few thoughts on data: security
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security.mdwn | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index d834aa1a5..d9e0f655b 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki doesn't support file uploads from browsers (yet), so they can't exploit this. +It is possible to embed an image in a page edited over the web, by using +`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:` +urls to be used for `image/*` mime types. It's possible that some broken +browser might ignore the mime type and if the data provided is not an +image, instead run it as javascript, or something evil like that. Hopefully +not many browsers are that broken. + ## multiple accessors of wiki directory If multiple people can directly write to the source directory ikiwiki is |