Django prevent image upload containing possible XSS code

Why not just verify that the file is a valid image?:

from PIL import Image
image = Image.open(file)
image.verify()

As another poster has suggested, you can indeed attempt a transformation and check if an exception is thrown, but verify() will probably be quicker.

Or maybe you can try detecting the type?:

import imghdr
path = 'Image.jpg'
imghdr.what(path)

Or

from PIL import Image
image = Image.open('myimage.png')
image.format

Using any of the above methods, you can determine if the file is actually an image or not. If it is not an image, then consider the file as spurious, and do not output it on any of your web pages. By not outputting the file, there is no risk of XSS from this vector, because even if the file is HTML, by not outputting it on your page, it cannot compromise your page.

Tags:

Amazon S3

Django

Related

Make prettier less uglier - prevent split tags NestJS - How to use .env variables in main app module file for database connection How to rename object keys inside array Conditionally pasting values from one column to another in R Cannot convert value of type 'Published<Bool>.Publisher' to expected argument type 'Binding<Bool>' Error run current project after flutter upgrade v3.13 Thin and Puma fail with similar issues - ERROR: Failed to build gem native extension on Mac with [email protected] Google cloud storage python client AttributeError: 'ClientOptions' object has no attribute 'scopes' occurs after deployment what is --use-feature=2020-resolver? error message with jupyter installation on ubuntu Javascript's Shift right with zero-fill operator (>>>) yielding unexpected result How to migrate a JSON table that contains an array to SQL? Logically yet illegaly uninitialized variable in Rust

Recent Posts