use of base64 images

[felipenmoura]

Markdown in issues should(must) accept images in base64.
When using the api, we might use it to upload an image from a canvas.
Also useful when we don't want to really upload the image to anywhere in the server, but the issue(for example, a printscreen).

I believe this is not a very complex feature to apply, and it would be pretty useful.

[bkeepers]

If I understand the issue correctly, we can't currently implement this due to security restrictions. For example, a user could embed an SVG with an inline script.

/cc @mastahyeti

[felipenmoura]

I see...
the thing is...to add images to issues or comments, the user must host it somewhere!
We were trying to create a tool that allowed final users to report problems...it creates an issue with the print screen of the user's screen...the idea was to simply send a base64 image...we had then to create and maintain a server/backend system, just to store the images.
Another thing could be, embed gists into issues or comments...or maybe wikis :)

[bkeepers]

Makes sense. Hopefully we can open up the API for our image uploads that we support on issues.

Another thing could be, embed gists into issues or comments...or maybe wikis :)

See #199

[gjtorikian]

For example, a user could embed an SVG with an inline script.

Yes and no. <object> is dangerous to open up, while <img> is not. But I think we should theoretically be able to support any base64 encoded image. We don't currently, for whatever reason.

Here's an entry on Wikipedia for a base64 encoded red dot:

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />

And here it is rendered:

Not sure if camo or something else is interfering.

[btoews]

@bkeepers I can't think of anything wrong with allowing the data scheme in our sanitization. SVG gives me the jeebies because it's so damned flexible/powerful. The browsers seem to be doing a good job of disabling functionality like scripting, lints, etc when SVG are rendered in image tags though.

One thing to be careful about with allowing data URIs though is that we always wrap image tags in links to the image src. I don't think we want to be linking to data URIs, so that should be stripped out.

@gjtorikian The reason why your image doesn't render is that you have the src set to http://data:image/png;base64.... In data URIs data: is the scheme, so you don't do http://.

/cc @ptoomey3 @gregose @josh Am I missing anything with allowing data URIs for images?

[ptoomey3]

Yeah, so long as we restrict stuff to img tags I think we should be ok.

[gjtorikian]

In data URIs data: is the scheme, so you don't do http://

I am copy-pasting the same <img src="data:image/png;... into comments and Markdown files, and the src attribute seems to just get slurped away.

[josh]

Probably okay to image tags. I'm just worried about long term.

[josh]

What happens if a data: img goes out in an email? Do most clients handle it correctly?

[catesandrew]

+1 for base64 images in markdown

[wdalrymple]

damn. i was hoping that this existed already.

[catesandrew]

@josh, according to this, looks like only apple mail displays data images. but i don't think that should be a reason for or against adding the feature.

[felipenmoura]

The only thing about base:64 that makes me worried, is the length of issues and logs, once it might get bigger(specially if it is a screenshot or something like this).