Peter Lind wrote: > On 14 August 2010 22:36, Sebastian Ewert <seb2...@yahoo.de> wrote: >> Hi, >> >> before I allow to upload images I read them and check for several html >> tags. If they exist I don't allow the upload. Is their any need to check >> pdf files, too? At the time I'm doing this, but the result is that many >> files are denied because of unallowed html tags. >> > > Reading and checking for html tags seems rather excessive - I would > rather use image extensions/pdf extensions and tools to verify that > the uploaded data was in fact one or the other. If someone uploads an > image and you cannot get the image dimensions from the file, for > instance, then it's likely not an image. > > Regards > Peter > So if imagick sais its an image/pdf there is no need to check for html tags? My upload class first checks the mime type with imagick. Do you know other tools?
I think I can remember of a xss tutorial where the js code was included to an image. But I haven't tried it so I couldn't test the result. He used a programm to combine images with text. Perhaps I have undestood something wrong. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php