I run a small browser MMO, and I have a problem where a couple users are embedding scripts into their profile images, and using them to make attacks against said users, and my game in general. Is there a way to protect against this, or do I need to start blocking people from being able to use their own custom images?
If it helps any, it's done in PHP/MySQL.
Some of the most common practices for validating image integrity include checking the MIME type, or binary reading the first few bytes of an image. Although these are not the best, it's worth a try to fend some of them off.
Try having GD process those images. If it throws errors, you know you have a problem. Since image upload is a relatively rare operation, it shouldn't cause load problems to do some kind of arbitrary manipulation.
Are you talking about the issue where IE will interpret an image with HTML tags in it as being an HTML page, thus allowing HTML and script injection from user-submitted images?
(The bug being that IE will do this even if you tell it the Content-Type is an image/ type. Microsoft have caused endless security disasters with this attempt to be ‘helpful’.)
If so, the usual solution is to serve user-submitted images from a different hostname, one which does not have access to cookies or scripting at the main hostname from which you serve your web application.
Be sure to lock down your virtual servers so that the image server and the app server are each only available from one particular hostname (and the app server must not be accessible via IP address).
This will fix the cross-site-scripting issues. You may still have cross-site-request-forgery requests to deal with, but that's a different problem and can be exploited without image-wrapped script-injection.