Hello guys. I’m creating a webapp that let the users post tutorials on my website, and i really want to give them the ability to insert images from other sites (like from their own flickr account or something). I am however afraid that this would open up the webapp for security breaches.
How can i let the users embedd their images without decrease the level of security?
oh btw, the users writes their tutorials in the wysiswyg editor from the editMe extension.
You can match the URLs provided against a set of well-crafted regexes. You will have to take care of gotchas like authentication credentials in a URL, for example, which can be used to fake a domain.
Overall, this is a whitelist (safe) being used in a blacklist filter (unsafe).
I believe that accepting uploaded images is safer.