You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We allow the img HTML tag in product descriptions and display the image in the shopfront. While this was the easiest way to show images it potentially opens up attack vectors to compromise a user's privacy or deceive them with an image.
A better solution would be to store images with ActiveStorage and serve them from there. The storage is in our control and doesn't allow tracking of users. It also means that we can serve images quicker than some random websites and that we can optimise the image and limit the size.
What we should change and why (this is tech debt)
We allow the
img
HTML tag in product descriptions and display the image in the shopfront. While this was the easiest way to show images it potentially opens up attack vectors to compromise a user's privacy or deceive them with an image.A better solution would be to store images with ActiveStorage and serve them from there. The storage is in our control and doesn't allow tracking of users. It also means that we can serve images quicker than some random websites and that we can optimise the image and limit the size.
Context
Impact and timeline
The security issue is theoretical at the moment and may only exist in conjunction with another vulnerability.
The text was updated successfully, but these errors were encountered: