As designed No Image-Check when importing

As switchers from vb to xenforo we had an issue last night. Our Malware-Scanner reportet an included <?php tag in one of the imported avatars. We stored our avatars in our database before.

While XenForo itself doesn't permit to upload this picture, it was imported. An option to check for invalid pictures would be good if checking while importing produces to much overhead.


XenForo developer
Staff member
In this case, it was actually a valid image that was already in your system. We do full image checks when importing so it wouldn't be imported without appearing to be a valid image.

However, we do have an extra check on any uploaded image for the "<?php" string, though this is mostly to attempt to (partially) workaround a security issue that comes from a server misconfiguration. This issue is moot on most servers; it's a specific Nginx configuration (generally well documented). We just provide an extra layer of protection against it, at the expense of a theoretical false positive.