Skip to content

Images: Update caution block #2607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 10, 2025
Merged

Images: Update caution block #2607

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c7c6266
images.md: Fix grammar
adriendupuis Feb 7, 2025
f0d9011
Add suggestion to images.md
adriendupuis Feb 7, 2025
bd909ca
images.md: Fix Markdown list syntax
adriendupuis Feb 7, 2025
4c7b042
images.md fix Ibexa.EOLWhitespace
adriendupuis Feb 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions docs/content_management/images/images.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,15 @@

For more information, see the [bundle's documentation](https://symfony.com/bundles/LiipImagineBundle/current/configuration.html).

!!! caution "Code injection in image EXIF"
!!! caution "Code injection in images"

EXIF metadata of an image may contain for example, HTML, JavaScript, or PHP code. 
[[= product_name =]] is itself doesn't parse EXIF metadata, but third-party bundles must be secured against this eventuality.
Images must be treated like any other user-submitted data - make sure that metadata is properly escaped before use.
Images must be treated like any other user-submitted data - as potentially malicious.

- EXIF metadata of an image may contain for example, HTML, JavaScript, or PHP code.

Check warning on line 66 in docs/content_management/images/images.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/content_management/images/images.md#L66 

[Ibexa.EOLWhitespace] Remove whitespace characters from the end of the line.
Raw output 
{"message": "[Ibexa.EOLWhitespace] Remove whitespace characters from the end of the line.", "location": {"path": "docs/content_management/images/images.md", "range": {"start": {"line": 66, "column": 88}}}, "severity": "WARNING"}
[[= product_name =]] itself doesn't parse EXIF metadata, but third-party bundles must be secured against this eventuality.
Make sure that metadata is properly escaped before use.
- Images may contain specially crafted flaws that exploit vulnerabilities in common image libraries
like GD or Imagick, leading to code execution. It's important to keep these libraries up to date with security updates.

### Image URL resolution

Expand Down
Loading