Hi,

Users working with Markdown filter are able to place image paths in content, but latest security fix for Drupal added requirement of using itok parameters generated by image_style_url() API function.

I realise that this may not be responsibility of Markdown filter to re-parse paths of local images, but that's only true if editor uses some dialog window that does that for him (and uses the mentioned API function). If editor picks up styled version by hand, since he/she prefers to work on plain text, then a problem will arise since security tokens are missing.

Is it good idea to create some patch that tries to recreate paths for local, styled images and replace their URL-s with itok attached before generating HTML?

Comments

frjo’s picture

frjo commented

I think that kind of functionality belongs in a separate generic module. If you can cup up with a really clean and neat solution I will consider including it.

Personally I always discourage placement of images inline in the text by any means. I always use standard image fields and then let the formatter and theme take care of showing the image.

siefca’s picture

siefca commented

Just for curiosity, how can such images be "told" to appear in a specific places (paragraphs) of body in your case?

siefca’s picture

siefca commented

Other case is that Markdown's syntax has this basic functionality that allows to embed images as paths and refer to them.
Without armoring local paths with tokens this functionality will be broken (with the exception that some file picking dialog may produce correct URL-s, but for now, in my case it's not doing it right, at least with IMCE and BUEditor Markdown).

frjo’s picture

frjo commented
Title: Image paths and DoS protection in Drupal 7.20 » Image style paths and DoS protection in Drupal 7.20

It's only with image style path that you get this problem, normal image path will work as they always have.

If IMCE has a feature where you can construct image style path it will need to be updated to make use of the image_style_url() API function.

Regarding placing images between paragraphs I simply never do that.

barraponto’s picture

barraponto
he / him
commented
Version: 7.x-1.x-dev » 7.x-2.x-dev
Status: Active » Closed (works as designed)

While Markdown has a syntax that lets users insert img tags, the module doesn't do anything to them. If you're using a Markdown library that enhances it by providing image styles support, it's up to that library to provide the tokens. If, on the other hand, your WYSIWYG solution is providing the Markdown code, then it's up to it. See #1930698: Drupal 7.20 update broke IMCE's feature for generating previews via image styles if you're using IMCE.

I might revisit this as part of #1855442: Add Markdown Module Support, but will probably fix this probable issue in whatever Wysiwyg module Panopoly uses.

barraponto’s picture

barraponto
he / him
commented
Issue summary: View changes

added some info