| ID | URL Pattern | Example bypassed URL | {{ __('common.created_at') }} | {{ __('forum.updated-at') }} | {{ __('common.actions') }} | @forelse ($whitelistedImageUrls as $whitelistedImageUrl)
|---|---|---|---|---|---|
| {{ $whitelistedImageUrl->id }} | {{ $whitelistedImageUrl->pattern }} | {{ str_replace(['**', '*'], ['my.evil.example/evil', '_evil_'], $whitelistedImageUrl->pattern) }} | |||
| No whitelisted image urls. | |||||
When users add images via BBCode, other users will load the image on page load. This means whoever operates the website of the image URL can view the connecting IPs. Therefore, all images entered via BBCode are proxied.
In exception cases where the proxy blocks a popular image host, that image URL should be whitelisted here. This will bypass the proxy and directly link the image. Any trusted image URLs can also be included here to increase client image loading speeds.
You can use
*
as a wildcard when matching URLs. A
*
wildcard will match everything except for
/
and
.
in the URL. You can also use
**
to match any character. You must never use
**
for matching subdomains as any user can register their own domain and link
https://evil.example/subdomain.whitelisted-domain.example/image.png
to bypass the proxy.
To match a url with a variable subdomain, make sure to manually specify the
.
otherwise a user can register
https://evilimgur.com
if you use
https://*imgur.com/**
(bad) instead of
https://*.imgur.com/**
(good) or
https://i.imgur.com/**
(best).