[mir-coders] [Imc-germany-tech] Prohibiting external image sources with Mir

[john duda]

Ok, there's now an update in cvs to the
MirBasicProducerAssistantLocalizer that makes this happen.

the relevant config values are:

Localizer.HTML.KillWebBugs=0
Localizer.HTML.ExternalLocationAttributeValuePrefixes=http://;https://;ftp://;gopher://
Localizer.HTML.WhitelistedExternalLocationAttributeValuePrefixes=http://media.de.indymedia.org/;https://media.de.indymedia.org/

and the self-explanatory(i hope!) test case is:

<a href="http://www.google.com">Should point to google</a>
<img src="http://bad.guy.server.com/bug.pl" alt="src attribute should be stripped" /> 
<img src="/images/nav/participate.png" alt="local src attribute should be fine" />
<img src="http://media.de.indymedia.org/icon/2007/03/170950.jpg" alt="whitelisted src attribute should be fine" />
<form action="http://some_nice_form.com/form.pl" method="post">if you let forms through, this should be fine</form>


-john



On Fri, Apr 06, 2007 at 12:00:19PM +0200, skep wrote:
> Hi John!
> 
> We would like to prohibit external image sources with mir, but are a
> little bit stuck on how to do this with the new config-settings:
> 
> Localizer.HTML.BadAttributeValuePrefixes
> &
> Localizer.HTML.BadAttributes
> 
> We allow the img-Tag in our config.properties and now we want only allow
> it for img-constructions like:
> <img src="http://media.de.indy..." >
> and dissallow it for everything else (like <img
> src="http://some_other_website">
> 
> Can you give us a hint on how to accomplish that?
> 
> Thanks in advance..
> 
> 
> ciao
> skep (imc germany volunteer)
> -- 
> my key: gpg --keyserver keys.indymedia.org --recv-keys 68BB7644
> http://keys.indymedia.org/cgi-bin/lookup?op=get&search=68BB7644
> fingerprint: F947 1486 A597 D28F 22B0  6F35 2700 738F 68BB 7644

-- 

this is where my public key can be found:
gpg --keyserver pgp.mit.edu --recv-keys 03817826
Key fingerprint = 6C11 8D70 2ADE EFA9 498D  72CB 77EA 391A 0381 7826