Is anyone aware of any security issues with the use of <img src="data:xxxxx"> where the user supplies the content? Assume the content is validated so it fits the format for a data URI so it can't break out of the tag, and is also restricted to image mime types.
Asked
Active
Viewed 828 times
2 Answers
2
There's definitely different code involved, but it's probably not any more attackable than a normal img link.
![](../../users/profiles/63225.webp)
sblom
- 25,623
- 4
- 65
- 95
1
I think this should be secure. As the data URI syntax for images is quite strict:
data:image/<subtype>;base64,<base64-stream>
it would be easy to validate (see for example RegEx to parse or validate Base64 data).
The only vulnerability I can think of is one within the component that parses/renders the image.