summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-02-10 15:55:42 -0500
committerJoey Hess <joey@kodama.kitenet.net>2008-02-10 15:55:42 -0500
commit71ccaf07510319a1366cd459295d63a6320c50b0 (patch)
tree8521e7e957e5482cc4c34cc1fc03534c2d18e529 /doc
parent6aa25f2757bcecb511b7663ff41d60c221eed509 (diff)
a few thoughts on data: security
Diffstat (limited to 'doc')
-rw-r--r--doc/security.mdwn7
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index d834aa1a5..d9e0f655b 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki
doesn't support file uploads from browsers (yet), so they can't exploit
this.
+It is possible to embed an image in a page edited over the web, by using
+`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:`
+urls to be used for `image/*` mime types. It's possible that some broken
+browser might ignore the mime type and if the data provided is not an
+image, instead run it as javascript, or something evil like that. Hopefully
+not many browsers are that broken.
+
## multiple accessors of wiki directory
If multiple people can directly write to the source directory ikiwiki is