I have a site built on ASP.NET and C#. One of the requirements of the site is to allow users to enter text in a WYSIWYG type editor as well as upload images.
I started development using the .NET HTMLEditor and at first was pleased. I gave up on the control after spending a handful of hours attempting to add an image uploader button to the control.
Instead I am now using the obout HTMLEditor and it's working great. It has an image uploader that I am able to dynamically set the location to save the files, which is great. Right now the images go into a sub-folder of the site that I can partially lock down with IIS to prevent things like directory browsing.
My concern, because I know very little about javascript, is in regards to potential security problems. Before, when I used .NET code for the image uploading, I was able to take a bunch of steps. I am assuming that the javascript code runs with the same user privileges as the IIS ApplicationPool that the site is running under.
So finally, the question. Is it secure to implement a javascript image uploader on a .NET site? The only other solution I see is to write a .NET image uploader and then use the "Image Browser" control to insert the images into the HTMLEditor, but that seems harder for the user.
yes it is, javascript-code is always executed on the client side. its not possible to access any resources of your webserver with javascript.