Snitz changes any '=' characters to spaces and then encodes them into "%20" in img links. For example, the following link's url is http://www.foobar.com?foo=bar but if you right click the broken image you see that snitz changed it to http://www.foobar.com?foo%20bar
Surely it's possible to filter javascript while allowing legitimate URLs... This problem precludes any dynamically generated images (chess diagrams on a chess forum in my case). At the very least you could convert the special characters (I notice that '&' and other special characters are converted too) to their HEX codes instead of converting everything to %20. That way I could parse the url on the server into what was intended.
you can just comment out the lines that convert the '=' sign to a space on your own forum if you want to. It's not a bug though. Moving to a more appropriate forum...
That would solve my problem, but bring in the security problems. Additionally, it's not *my* forum so I can't make the change. Is the solution to convert special characters to their hex codes not appropriate?
allowing any dynamically created image (an image created by a script) is a security risk. Any script that is supposed to create a dynamic image could be used for other purposes. It's a choice you have to make.
I'm not sure I understand... How is allowing dynamically generated images any more a security risk than allowing statically generated ones? When you reference an image via a URL you don't know whether it's generated statically or dynamically anyway. Additionally, it's not that the conversion to %20 prevents dynamically generated images altogether - it just makes it harder for the person who writes the code that has to parse the url.
Topic Locked
Posted - 22 September 2004 : 09:44:27
