From 71ccaf07510319a1366cd459295d63a6320c50b0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 10 Feb 2008 15:55:42 -0500 Subject: a few thoughts on data: security --- doc/security.mdwn | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc') diff --git a/doc/security.mdwn b/doc/security.mdwn index d834aa1a5..d9e0f655b 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki doesn't support file uploads from browsers (yet), so they can't exploit this. +It is possible to embed an image in a page edited over the web, by using +`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:` +urls to be used for `image/*` mime types. It's possible that some broken +browser might ignore the mime type and if the data provided is not an +image, instead run it as javascript, or something evil like that. Hopefully +not many browsers are that broken. + ## multiple accessors of wiki directory If multiple people can directly write to the source directory ikiwiki is -- cgit v1.2.3