On Mon, Jan 23, 2012 at 3:25 AM, Daniel Friesen
<lists(a)nadir-seen-fire.com>wrote;wrote:
I've found a bit of an issue with our external
image embedding
whitelisting functionality.
This isn't exactly a hole in the code itself, but in the fact that in
practice it seams just about everyone uses the whitelist incorrectly and
ends up opening up holes in their wiki allowing the whitelist to be
bypassed.
*nod* I'd generally recommend not to use this old external images feature;
as you note its whitelisting is pretty awful (just a ham-fisted regex) but
more generally it can trigger false positives (web pages with '.jpg'
ending) and lacks any controls for sizing images, giving them alt text or
captions, etc.
If there's not already a good extension for embedding external URLs as
images that *does* let you set size, alt text, etc, then there probably
should be one added. If whitelisting makes sense for it at all, then it
should be implemented better as well so it's less error-prone.
-- brion