Is it safe to accept POST
data that is supposed to be base64-encoded image data and use it as the src
attribute of an img
?
<img src="data:image/png;base64,[data here]" />
Obviously, with no filtering one could easily break out of the src
attribute and the img
tag and insert malicious <script />
or other tags, so my idea is to
base64_decode($rawPostData)
check if it is decoded OK and then
base64_encode($decodedData)
to put it in the src
attribute.
Are there any vulnerabilities (such as XSS, maybe buffer overflow?) with this approach?
Background
I need this for a page that transforms a third-party svg
to canvas
to base64
-encoded data using JavaScript (using "canvg" to be precise). I need to have the image passed to server-side scripts to do some other tasks using the image, but also to show the image to the user / client.