- ๐บ๐ธUnited States smustgrave
Just following up if still valid? If no follow up could close in 3 months
- ๐บ๐ธUnited States drumm NY, US
This looks like it can be closed. The original image is still rendered in WYSIWYG instead of being filtered out, thatโs not ideal. It isnโt showing what you will get on save, and could be used as an entry point to cross-site request forgery (CSRF) attacks. The worst example of the attack,
<img src="/user/logout">is mitigated since the logout route now has a token to prevent CSRF attacks.Since the WYSIWYG is requesting any
img srcURL, that could have anyone editing having requests made on their behalf. However, CSRF is generally prevented on the receiving end, as was done with/user/logout. I suppose there could be a privacy concern, since a 3rd-party request could still be made. Iโm sure this was all handled in previous issues and the current state is okay.