Removed Inline Image Support - Update: Fixed - Better Battlelog Forums #130907

Post edited 11 x times, last by
Hi all!

Update 07.12.2014

This issue is now fixed on and in the BBLog addon. It still exist a security hole in your browser but in BBLog or on you are safe.
Firefox Notes
: Here we must pre-cache the image file to make sure that it's safe. That means that in general all counter (user/pageviews) services not work properly.

Original Message:

Unfortunately i decided to temporarily remove inline image support from the BBLog addon and from the homepage for external images.

Reason is because i found out today that this could be a big security hole.
More information here:
Browser Auth Pishing Attack with embedded images

Inline Images in the addon are deactivated until this issue is fixed or fixable.
Inline Images on - Only allowed for attachments, not for external images.

This only affect Inline Images, not Inline Youtube Videos.

Spread the word about that.

Greetz Roland
But for instance, it is possible to add exceptions or "white list" to this trusted sources such as imgur, etc....

1.making sure that url starts and ends with specific text
2.and then implementing a script which actually checks that the url is an "image file"
Post edited 1 x times, last by
Sure, it's possible. But i don't actually integrate a white list.
A script that checks for correct images could only be done by server side and we don't have the capacity to do create such service.

I'll follow the discussion about that bug and if nothing happens from browser side, i'll consider other ways.
Post edited 4 x times, last by
any technical reason for white list thing...cause in my opinion that seems best fix until we find a solid solution..

i'm not pro in js right now but isn't this simple algorithm possible on client side..

1.URL found

2. if URL match(http://imgur.....OR

if type match==(jpg,png,gif)
create elements and embed
do not embed


Again just an idea....could be improved..Happy to be a part of development
No technical reason, i just don't want to make a "white list" because this creates a "two class feature".
I just want to have a fully functional feature. Allowing just a bunch of hosters is not that what i want to do.

The check for a valid file extension also doesn't help because a correct looking image link could also be manipulated.

Anyway, thx for suggestions.
mmhmmm.....Well I respect your personal policy...Hope this gets fixed soon.
hope it's going to be back soon as well
Please quickly fixed,

this being the reason why 60% of users take advantage of this tool and as the lead designer of two platoons. with endless hours working on the presentation with one blow away..

Fact who wants anything from the browser to system is vulnerable is always gaps but if you blow on it of course 5445990 people with a down during which to know profiles of users and platoon to link ruins...

makes understanding...

alternative are in demand or offers befor the ship goes down :(
I advised BFL to let users enable the feature at their own those who are aware these things(Phishing and all)..

Rest is upon BFL...what he comes up with..
Post edited 2 x times, last by
I understand all your opinions and all your suggestions.

I decided to re-enable Google Chrome and Opera right now., because they have no problems with the security issue.
For all chrome/opera users it should work within the next 24 hours.
You can force the update by opening this page

press CTRL + F5 and than use battlelog as always.

For all Firefox users, sorry, i cannot currently enable that feature because it's not fixed right now, but i'll think about another temporarily fix for you.
Well, good news for all of you.

Inline Images should now work, securely and for every browser.
Maybe it takes up to 24 hours to work for you.
You can force the update by opening this page

press CTRL + F5 and than use battlelog as always.

The technique behind is now that caches the image and than return it back to you if it is safe to use.
Hopefully our server can handle that.

However, the bug still exists in your browser but it's now safe inside of BBLog addon and on

Greetz Roland
Really appreciate it ...bud
Post edited 1 x times, last by
There are issues with certain characters in URLs from FlagCounter.

BBlog loads this URL

instead of

which causes the Image to be broken and not recognized by Flagcounter

pls fix
Thanks in advance
Post edited 1 x times, last by
Flagcounters and any other counter service not working properly with the current fix.
Reason is simply that BBLog does cache and pre-download the image to make sure it's safe.
So, the counter will never be counted up. For flagcounter it seems that they also have some other checks that make it impossible to work with our special fix.

It's not fixable until the browser developers fix the security hole. Than we can remove our temporarily cache.
I'll see if i can make an exception for chrome/opera to directly show the image because they are not affected by that issue.
That would be great, most of the people I know use Chrome aswell...
Thank you :))

for fixed and reaktivation, am satisfied when it comes in whenever a browser of the three,
has saved my day.