Reject data URIs for [img]

diff --git a/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php b/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php
index d8e00bf6c4256aaf3ee8e5503b3d9cf4dd559c9b..8a1dfafa6595e9fb4060aefdad59c0ce3b1eeccf 100644 (file)
--- a/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php
+++ b/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php
@@ -30,6 +30,15 @@ class ImgMetacodeConverter extends AbstractMetacodeConverter {
         */
        public function validateAttributes(array $attributes) {
                $count = count($attributes);
-               return ($count > 0 && $count < 4);
+               if ($count > 0 && $count < 4) {
+                       // reject data URIs
+                       if (preg_match('~^\s*data:~', $attributes[0])) {
+                               return false;
+                       }
+                       
+                       return true;
+               }
+               
+               return false;
        }
 }