The emojis are pretty dope but not quite the same thing

  • Ryaina [she/her]
    ·
    edit-2
    4 years ago

    Because we are more concerned with security than your typical web forum.

    Allowing the embedding of an arbitrary image in a page as an avatar/profile picture has been a commons source for cross-site scripting vulnerabilities and tracking of users.

    if you control the server the image is hosted on you can track the IPs of people who load that picture. If you know the image will be presented to the user unaltered then you can craft malicious images that can exploit things. if you create an account to only DM one person it's even possible to specifically target one user with these kinds of attacks.

    This is also the reason we have not yet enabled direct embedding of images in comments or post bodies.

    We have some idea on how to combat these vulnerabilities and enable these features, and they are on the todo list. But as of yet, no one contributing to the team has had the time to tackle them in lieu of the other work we have been focusing on.