Allowing Users To Post Images In The Forums

Allowing Users To Post Images In The Forums

The Forums feature is designed for use by untrusted users. Any content posted in the forums is processed on output by some xss (cross site scripting) prevention. If an Administrator marks a user as trusted then the posts by that user are not filtered. In that case even javascript could be posted so you really should not mark a user as trusted unless they really are someone you trust. I mention that because often people want to allow users to post images, and they think that making the user trusted is the solution but that is not advisable.

You can allow users to upload images, the risks of allowing that are low but risks do exist so you should decide carefully. For example there have been in the past vulnerabilities in operating system processing of .png images for example and when that was a vulnerability it was possible to craft a malicious .png file. That said, the risks are relatively low for a fully patched system.

Under Administration > Permissions you will find "Roles than can browse and upload but only in a user specific folder"

you could either create a new role to allow some users to upload images, or you could allow "Authenticated Users" which is a role assigned automatically to all users who register on the site.

Users in the allowed roles will see an image toolbar item when they post in the forums, allowing them to upload images and post them. 

The forum filtering by default allows local images with relative urls, so granting the user upload permissions should be sufficient to allow them to post images in the forums.

It is also possible to allow any image from any url including external urls, by adding this in user.config:

<add key="Forum:AllowExternalImages" value="true" />

Note that changes in user.config are not automatically detected so to make it see the new settign you need to make a small edit in Web.config ie type a space and save it.