Ticket #13199 (closed Bug: fixed)
image in data URIs filtered only on output, bloats object and database
|Reported by:||khink||Owned by:|
In RichText fields on dexterity content types, data URIs are filtered on output but are stored in the database. In the case of images, this will make the objects and database grow at an enormous rate.
Some browsers will create an image with data URI when an image is dragged from the desktop into the visual editor area. I've seen this for Safari on Mac OSX, and for Firefox 15.0.1 on Ubuntu 12.04.
To reproduce the behavior on any browser:
- start with a Plone 4.2.1 with plone.app.dexterity installed
- enable dexterity, create a content type with a RichText field
- create an object of the new type
- drag an image from the desktop into the text if your browser supports it
- alternatively, edit HTML for the text field, and insert <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">click me</a> (code from test_xss.py in PortalTransforms)
- after saving, the link content is stripped on output and does not show on screen (which is okay)
- stop the zope instance and inspect the object with ./bin/instance debug: obj.textfield.raw has the entire html. in the case of an image, this would be quite big.
- Status changed from new to confirmed
- Component changed from Unknown to Dexterity