From: Joey Hess <joey@kodama.kitenet.net>
Date: Sun, 10 Feb 2008 20:55:42 +0000 (-0500)
Subject: a few thoughts on data: security
X-Git-Tag: 2.40~128
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=71ccaf07510319a1366cd459295d63a6320c50b0;p=ikiwiki.git

a few thoughts on data: security
---

diff --git a/doc/security.mdwn b/doc/security.mdwn
index d834aa1a5..d9e0f655b 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -47,6 +47,13 @@ Users with only web commit access are limited to editing pages as ikiwiki
 doesn't support file uploads from browsers (yet), so they can't exploit
 this.
 
+It is possible to embed an image in a page edited over the web, by using
+`img src="data:image/png;"`. Ikiwiki's htmlscrubber only allows `data:`
+urls to be used for `image/*` mime types. It's possible that some broken
+browser might ignore the mime type and if the data provided is not an
+image, instead run it as javascript, or something evil like that. Hopefully
+not many browsers are that broken.
+
 ## multiple accessors of wiki directory
 
 If multiple people can directly write to the source directory ikiwiki is