My company will allow customers to post suggestions to our website. This feature is very similar to facebook share link. Our customers will type a URL, we will scrape the site, retrieve the images, description and save the description and the image url in our database for other customers to review them later.
We don't have the resources to save/manipulate external image, unless it is absolutely necessary for now we will like to save the image url and render it onload.
The feature has been implemented but I have some concerns and would like to get some expert help to make sure I can prevent any issue from happening.
Scenario 1 Customer A, posts 5 suggestions from websites which contains large high quality images. Can I prevent the site to get a performance hit the first time I render and retrieve those images from the sites?, do you know if it would be illegal to save a local copy as long as I keep the reference to the original site? also I am against hotlinking but not sure if keeping a copy in my hard drive is a good idea. I noticed facebook doesn't save them, they always render the image, I am sure they do it that way because that's the right way to do it.
b) Customer B misuses this feature and he actually try to do an XSS attack how can I take advantage of Anti-XSS 4.0 to make sure customer doesn't try an xss attack, encoding the output would be enough? is there any other security risk that I am not aware of?
Thanks for your help!
