Allowing inline images using src value of "data:image" (Page 1) — htmLawed

1 Topic by rraub 2016-03-22 14:36:28

rraub
Member
Offline

Topic: Allowing inline images using src value of "data:image"

Currently data is not an allowable prefix for the src attribute of the img tag and gets filtered.
RFC 2397 defines the spec for this, but the basic format for this is:

data:[<mediatype>][;base64],<data>

example input:

<img src="data:image/gif;base64,R0lGODlhEAAOALMAAOazToeHh0tLS/7LZv/0jvb29t/f3//Ub//ge8WSLf/rhf/3kdbW1mxsbP//mf///yH5BAAAAAAALAAAAAAQAA4AAARe8L1Ekyky67QZ1hLnjM5UUde0ECwLJoExKcppV0aCcGCmTIHEIUEqjgaORCMxIC6e0CcguWw6aFjsVMkkIr7g77ZKPJjPZqIyd7sJAgVGoEGv2xsBxqNgYPj/gAwXEQA7" width="16" height="14" alt="embedded folder icon">

output:

<img src="denied:data:image/gif;base64,R0lGODlhEAAOALMAAOazToeHh0tLS/7LZv/0jvb29t/f3//Ub//ge8WSLf/rhf/3kdbW1mxsbP//mf///yH5BAAAAAAALAAAAAAQAA4AAARe8L1Ekyky67QZ1hLnjM5UUde0ECwLJoExKcppV0aCcGCmTIHEIUEqjgaORCMxIC6e0CcguWw6aFjsVMkkIr7g77ZKPJjPZqIyd7sJAgVGoEGv2xsBxqNgYPj/gAwXEQA7" width="16" height="14" alt="embedded folder icon" />

I've seen at least one alteration to htmLawed to allow this behavior here: https://sysengineers.wordpress.com/2013/10/29/fix-the-inline-images-bug-in-glpi-knowledgebase/

2 Reply by patnaik 2016-03-22 16:29:17

patnaik
Administrator
Offline

Re: Allowing inline images using src value of "data:image"

htmLawed does permit use of 'data', which requires an appropriate configuration of the filter.

The config argument for htmLawed has a parameter named schemes that can be set to allow use of 'data' scheme/protocol in 'src' attribute of an 'img' element (more on schemes parameter).

// permit data, http and https for all attributes, and mailto and ftp for only 'href' attribute
$config = array(... 'schemes' => '*: data, http, https; href: ftp, mailto' ...);
$out = htmLawed($in, $config);

The default value of 'schemes' is href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https.

I will think of adding 'data' to this default for future htmLawed releases.

3 Reply by patnaik 2017-02-11 23:42:10

patnaik
Administrator
Offline

Re: Allowing inline images using src value of "data:image"

The latest release of htmLawed (version 1.2) supports the 'data' URL scheme.

[ Closed ] Allowing inline images using src value of "data:image"

Posts: 3

1 Topic by rraub 2016-03-22 14:36:28

Topic: Allowing inline images using src value of "data:image"

2 Reply by patnaik 2016-03-22 16:29:17

Re: Allowing inline images using src value of "data:image"

3 Reply by patnaik 2017-02-11 23:42:10

Re: Allowing inline images using src value of "data:image"

Posts: 3