doxbox / doxbox-dms

DoxBox DMS formerly Owl Intranet Knowledgebase
www.doxbox.ca
GNU General Public License v2.0
7 stars 18 forks source link

Thumbnails are loaded from a directory in the Webspace kinda Security issue #7

Closed bozzit closed 10 years ago

bozzit commented 10 years ago

We could load them from another Location outside the web space and imbed them using data:uri

<img width="16" height="16" alt="star" 
src="data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO
0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hB
ADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7" />

The format, to be specific:

data:[<mime type>][;charset=<charset>][;base64],<encoded data>