| Profile image [message #19761] |
Tue, 31 August 2004 14:52  |
betacire
Messages: 18
Registered: July 2004
Karma: 0
|
Junior Member |
|
|
Hi,
In the Admin Control Panel, I see :
********************************************
Profile Image:
Whether or not to allow users to enter a URL to an image in their profile that will be displayed on the user info page for that user. The danger of this feature is that the user could potentially link to a page other then an image and some browsers like Internet Explorer will parse that page executing any potentially hostile Javascript that may be present.
*********************************************
Perhaps, it could be interesting to test if the url ends by .jpg, or .gif, or .png and the potentially risk would be avoid.
And also, wouldn't it be possible to have the same options as for the avatars (URL / Uploaded / ALL / OFF) ?
Thanks
|
|
|
|
| Re: Profile image [message #19764 is a reply to message #19761] |
Tue, 31 August 2004 15:55  |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
Avatars are not vulnreable since they are always downloaded by the forum even if the avatar is a URL to a remote site.
FUDforum Core Developer
|
|
|
|
| Re: Profile image [message #19772 is a reply to message #19764] |
Tue, 31 August 2004 22:22 |
betacire
Messages: 18
Registered: July 2004
Karma: 0
|
Junior Member |
|
|
| Citation : |
Avatars are not vulnreable since they are always downloaded by the forum even if the avatar is a URL to a remote site.
|
Yes and it would be better if it was the same thing for the profile image. But perhaps it's too complicated ?
Thanks,
Betacire
|
|
|
|
|
|
| Re: Re : Profile image [message #19886 is a reply to message #19790] |
Wed, 15 September 2004 05:27 |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
Downloading those images that have no size limits could possibly result in excessive disk utilization by the forum.
FUDforum Core Developer
|
|
|
|
| Re: Profile image [message #24118 is a reply to message #19761] |
Sat, 16 April 2005 01:11 |
Anonymous
|
|
|
|
| betacire wrote on Tue, 31 August 2004 10:52 |
Hi,
In the Admin Control Panel, I see :
********************************************
Profile Image:
Whether or not to allow users to enter a URL to an image in their profile that will be displayed on the user info page for that user. The danger of this feature is that the user could potentially link to a page other then an image and some browsers like Internet Explorer will parse that page executing any potentially hostile Javascript that may be present.
*********************************************
Perhaps, it could be interesting to test if the url ends by .jpg, or .gif, or .png and the potentially risk would be avoid.
And also, wouldn't it be possible to have the same options as for the avatars (URL / Uploaded / ALL / OFF) ?
Thanks
|
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]