I'm developing a web-tool (a TiddlyWiki Classic plugin) with contenteditable elements where I'd like to insert images by copy-pasting; then they should be then stored locally via a (PHP) server.
Among other stuff, the back-end should store images by url which are generated by copy-pasting an image from a web-page. My draft of the image-grabbing function is the following:
function loadImageByUrlAndSave($url,$path,$name)
{
$url = filter_var($url,FILTER_SANITIZE_URL); //# not sure if this is really needed
$img = file_get_contents($url);
$type = "png";
//# check for request errors, ensure we got an image, get its type automatically
file_put_contents($path . $name . "." . $type,$img);
};
It works so far; however, I've read that using file_get_contents is not encouraged in such direct manner. I guess when this is used locally and by me only, the only security issue here is to avoid images that contain JavaScript (I've heard about this very little). What security measures would you suggest? Is it possible to automatically remove JavaScript from images? Is it removed in this workflow on the copy-paste stage so that I don't need to worry at all? I'd like to avoid any unexpected behaviour since that may corrupt data in my TW.
