After reading http://dsecrg.com/files/pub/pdf/XSS_in_images_evasion_bypass_(eng).pdf, it is clear that allowing image uploads from users opens you to XSS attacks.
I wasn’t able to find any PHP examples of how to screen an uploaded image for XSS attacks.
I found one for CodeIgniter, which I am using. The function is xss_clean($file, IS_IMAGE), but there is only 1 sentence of documentation for it, so I have no idea how it works and a comment in their forum said it had an unreasonably high rate of false positives, so it’s not usable in production.
What do you recommend to prevent XSS attacks within an uploaded image?
As long as you keep the extension correct (and your users are diligent about updating their browser) image injection should not be possible.
For instance, if someone uploads
alert('xss');as an image and you have<img src='that-image.png'>, it will be emitted as a png and the JavaScript won’t execute (at least back to IE7). What’s important is that you rename the images appropriately.If you have php > 5.3 and the
finfoPECL extension, you can use it to get the mime type of the file and have a whitelist of types you will allow (png, jpg, gif I would imagine). If you are on a Linux machine,filemay help you with that as well.