Forum Moderators: open
I have never used an iframe in my career as I've always read how they can be exploited for hacking and something like that.
Well, now I'm really tempted to use one..
My case:
- I have a small uploading cgi script that opens in pop up window when upload starts (shows kb/s, remaining time etc)
- I'd like to include it in my uploads page (for registered users only) instead of having it in a pop up
- I was thinking of placing it under my content and just load the upload monitor in it once ready and remove it once upload is done
- yep, I know .. I could modify the whole script so it becomes a part of my upload page, but just calling it in iframe works great and I would save me some time : )
Are there any potential threats here that I should know of?
The sole process "seems" harmless to my untrained eye : D
Go ahead an use an iframe if it serves your purposes well.
Are there any potential threats here that I should know of?
If there are any threats, as mentioned, it's not in your iFrame, it could be in your upload script. An example, if I write a nasty virus and re-name it "innocent-file.jpg" I could potentially upload a virus to your server.
Make sure your upload script is secure and filters data, and it's all good.
For jpegs etc: parse them server side with something like libpnm and translate the with it, so that the file you use isn't a binary copy of what's uploaded.
"jpegtopnm ¦ pnmfile" will tell you if it is a jpeg that can be parsed as such (it still might be kids in inappropriate positions, but at least it's an image)
"jpegtopnm < in ¦ pnmtojpeg -optimize > out" and you have a jpg, making sure it's not the binary code of what was uploaded (lossy compression, don't do it too often).
...
