| Author |
 Topic  |
|
|
Kent
Junior Member
United States
193 Posts |
 Posted - 05 December 2002 : 12:29:59
|
Here's an example of how a long photo URL is handled a bit differently. It shows up as an unbroken link when you just paste it in as a URL without the {URL}{/URL} tags.
http://image.photoloft.com/opx-bin/OpxFIDISA.dll?s=cano&src=/PhotoLoft/Asset20/2002/12/05/10206/10206035_0_9487.fpx,0,0,1,1,512,384,FFFFFF
It also shows up as an unbroken link when you put the {URL}{/URL} tags around it:
http://image.photoloft.com/opx-bin/OpxFIDISA.dll?s=cano&src=/PhotoLoft/Asset20/2002/12/05/10206/10206035_0_9487.fpx,0,0,1,1,512,384,FFFFFF
But, when you use {img}{/img} tags, it breaks the URL and doesn't display:
Anyone have any suggestions?
Kent |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 December 2002 : 12:39:17
|
| it is because it has = and & in it they are removed for security reasons, it has nothing to do with the length. |
 |
|
|
Kent
Junior Member
United States
193 Posts |
Posted - 05 December 2002 : 13:00:53
|
So the & and = are "safe" when used in a link URL, but not a photo URL.... |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 December 2002 : 13:04:22
|
| yes, I can see what the link says and work out what it does, but you can hide javascript code behind an Image that users can't see, that is why they are not allowed in the image |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 December 2002 : 13:06:41
|
There are many others that are not allowed, try looking ad the image validation routines
'## Added to exclude Javascript and other potentially hazardous characters
strUrlText = replace(strUrlText, "&", " ", 1, -1, 1) ' ## filter out &
strUrlText = replace(strUrlText, "#", " ", 1, -1, 1) ' ## filter out #
strUrlText = replace(strUrlText, ";", " ", 1, -1, 1) ' ## filter out ;
strUrlText = replace(strUrlText, "+", " ", 1, -1, 1) ' ## filter out +
strUrlText = replace(strUrlText, "(", " ", 1, -1, 1) ' ## filter out (
strUrlText = replace(strUrlText, ")", " ", 1, -1, 1) ' ## filter out )
strUrlText = replace(strUrlText, "[", " ", 1, -1, 1) ' ## filter out [
strUrlText = replace(strUrlText, "]", " ", 1, -1, 1) ' ## filter out ]
strUrlText = replace(strUrlText, "=", " ", 1, -1, 1) ' ## filter out =
strUrlText = replace(strUrlText, "*", " ", 1, -1, 1) ' ## filter out *
strUrlText = replace(strUrlText, "'", " ", 1, -1, 1) ' ## filter out '
strUrlText = replace(strUrlText, "javascript", " ", 1, -1, 1) ' ## filter out javascript
strUrlText = replace(strUrlText, "jscript", " ", 1, -1, 1) ' ## filter out jscript
strUrlText = replace(strUrlText, "vbscript", " ", 1, -1, 1) ' ## filter out vbscript
strUrlText = replace(strUrlText, "mailto", " ", 1, -1, 1) ' ## filter out mailto
'## End Added
|
|
|
|
Kent
Junior Member
United States
193 Posts |
Posted - 05 December 2002 : 13:36:25
|
Thanks, Huw. I was just trying to understand -- not questioning why it was done. 
I didn't realize the additional risk that an image posed. Great explanation! |
|
|
|
night-red
Starting Member
Canada
8 Posts |
Posted - 14 December 2002 : 17:54:36
|
I did some creative editing on it.
The images now work for me but i have not opend my sleft for an attack though it |
- Night-Red
 |
|
|
| |
Topic |
|
|
|
Topic Locked
