在应用程序中使用用户可编辑的图像 URL。安全问题
我正在编写一个应用程序,要求用户显示他们的照片,但是由于我的服务器资源非常有限,我不能让他们将其上传到服务器。
所以我有三个主要问题:
1。如何正确验证照片 URL? 至少我可以使用正则表达式进行验证,但是我需要检查文件结尾:
`validates_format_of :photo_url, :with => URI::regexp(%w(http https))`
2。安全问题? XSS?
即使我在创建图片时验证了图片,黑客也可以随时用恶意内容替换图片。
3.也许有带有 API 的免费资源商店?
I am writing an application where users are required to show their photo, however as my server resources are very limited I can not let them upload it to the server.
So I have three major questions:
1. How to properly validate photo URL? At least I can validate with regexp, however I need to check for file ending:
`validates_format_of :photo_url, :with => URI::regexp(%w(http https))`
2. Security issues? XSS?
Even I validate the picture at the moment of creation, hacker can replace image with malicious stuff anytime.
3. Maybe there are free asset stores with API?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
1.如何正确验证照片 URL?
您可以使用验证 URL 格式的插件或自己编写:
2.安全问题? XSS?
只要您转义文本,就不存在任何突出的安全问题。
<%=h image_tag obj.photo_url %>
是安全的。请记住,用户仍然可以使用 100MB 的图像,这会减慢每个访问者的速度。
3.也许有带有 API 的免费资产商店?
据我所知,没有,但rackspace cloud、amazon s3 托管非常便宜。
一些图像上传插件支持这两个,所以你至少可以节省一些时间。
1. How to properly validate photo URL?
You can use a plugin that validates the format of an URL or write it your self:
2. Security issues? XSS?
There aren't any outstanding security issues as long as you escape the text.
<%=h image_tag obj.photo_url %>
is safe.Take in mind, that the user can still use a 100MB image that will slow down every visitor.
3. Maybe there are free asset stores with API?
There aren't any that I know of, but rackspace cloud, amazon s3 hosting is pretty cheap.
Some image upload plugins have support for these two, so you'll at least save some time.