From 06c2136817a738d2226e1af689d7914b0775a287 Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Thu, 5 Oct 2017 00:45:24 +0200
Subject: [PATCH] Reject data URIs for [img]

---
 .../metacode/converter/ImgMetacodeConverter.class.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php b/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php
index d8e00bf6c4..8a1dfafa65 100644
--- a/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php
+++ b/wcfsetup/install/files/lib/system/html/metacode/converter/ImgMetacodeConverter.class.php
@@ -30,6 +30,15 @@ class ImgMetacodeConverter extends AbstractMetacodeConverter {
 	 */
 	public function validateAttributes(array $attributes) {
 		$count = count($attributes);
-		return ($count > 0 && $count < 4);
+		if ($count > 0 && $count < 4) {
+			// reject data URIs
+			if (preg_match('~^\s*data:~', $attributes[0])) {
+				return false;
+			}
+			
+			return true;
+		}
+		
+		return false;
 	}
 }
-- 
2.20.1