This is a question related to an internal web site with a small user base. It is used for threaded conversations between users (like a forum), but it is all custom made and contains some business logic. Users are allowed to upload attachments. And other users see a link to these attachments in the view an can download using that link.
I want to add a new feature to display images inline, instead of showing a link. I thought about sending an image tag with source attribute set to the location of the attachment.
My problem is, this is open for XSS attacks. A user might upload a javascript file that has a png extension, and image tag will execute the javascript on resource loading.
If relevant, backend is running a python based web server and front end is mostly plain html/javascript.
What would be a correct method to prevent attacks on this system?
Aucun commentaire:
Enregistrer un commentaire