xss_clean on images

[eluser]Derek Jones[/eluser]
Yes, especially when trying to provide security for binary files, it's a balance, and we're never going to strike a balance that satisfies every individual or every security need. In ExpressionEngine, this has been employed fairly successfully for about a year or so. Super Admins are exempted from the filter, and there's an option to disable it entirely if one wishes. It can be pretty intensive both in terms of memory usage and as noted here, can generate false positives with ease, so it's definitely a personal decision.

The reason we protect against short tags in images even when short tags is disabled on the server is two fold. First, there's no way to know that that environment variable might not change in the future, leaving a previously safe image on your site suddenly a source of a scripting attack. Secondly, it's about being good internet citizens. If it is assumed that one wishes to only allow known-safe images to be accepted for a particular purpose on your own site, it is also assumed that you wouldn't want to let images through that were only safe on your server, as an unsuspecting individual might save that image and reuse it in an environment that was harmful.