Home/ Questions/Q 7431397
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T09:17:24+00:00

Is it safe to accept POST data that is supposed to be base64-encoded image

  • 0

Is it safe to accept POST data that is supposed to be base64-encoded image data and use it as the src attribute of an img?

<img src="data:image/png;base64,[data here]" />

Obviously, with no filtering one could easily break out of the src attribute and the img tag and insert malicious <script /> or other tags, so my idea is to

base64_decode($rawPostData)

check if it is decoded OK and then

base64_encode($decodedData)

to put it in the src attribute.

Are there any vulnerabilities (such as XSS, maybe buffer overflow?) with this approach?

Background

I need this for a page that transforms a third-party svg to canvas to base64-encoded data using JavaScript (using “canvg” to be precise). I need to have the image passed to server-side scripts to do some other tasks using the image, but also to show the image to the user / client.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would accept the image as an image, then base64_encode that. It saves the quite unnecessary middle-step of you checking it was submitted as expected and also makes it impossible to cause XSS.

    If you must validate base64 as in image, simply checking it only contains base64 characters would be sufficient, since you are only embedding it within an img tag (and tag breaking characters are not allowed in base64.

    Use inbuilt functions:

    if (base64_decode($mystring, true)) {
    // is valid
} else {
    // not valid
}
    • 0