> Moreover, that still doesn't protect you, as it would be possible to > make a valid image where the payload happened in the image data...
Agreed. But sanitizing input by silently removing blocks of data your users rightfully expect to be preserved? That's egregious, even if it "worked." (Like many such discussions, I almost can't believe we're having this one... I mean, executing images is just not normal whether or not you can "bear the (performance) cost." Who is doing this on purpose?) -- S. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
