How to prevent gifs to be shown or played with Markdown image tag?

maxmoon

I would like to provide a distraction free environment and want to prevent gifs from being played or to avoid them being shown at all if the Markdown image tag is used. Only static images should be allowed.

Is it possible to restrict Flarum to play gifs?
Is it possible to avoid gifs being shown at all (with image tag)?

focus

clarkwinkelmann

I don't think there exists an extension for this at this time, but there are definitely possibilities.

First of all I'd like to point out this might be impossible to completely block. It might be easier overall to make this a rule enforced by moderation and maybe only use the solutions below as a quick warning to the user so they don't unintentionally break the rules.

The easiest solution would be to start with URLs that end with .gif, you could use some custom CSS to automatically blank out image tags with an URL that contains/ends with that, but users might be able to work around it with clever query strings, or host files on a service that doesn't append file extensions. Doing the filtering in PHP or javascript would allow better parsing of the URL, but still it would require the file extension to be part of the URL.

If you only allow local uploads, you should be able to block the mime type altogether. This is already possible with FoF Upload.

To handle other remote images unfortunately it becomes quite complex. Using javascript, it might be possible to analyze the image after it has been loaded in the browser. If GIFs can't be detected in browser, an option could be to write the image to a canvas, effectively deleting the animation. But this would likely cause cross-origin errors.

The solution with most control would be to process images server-side. My paid Rich Embeds extension already provides an option to parse images for meta data, which could be used for such an implementation. Unfortunately again just parsing the image once and rejecting GIFs wouldn't be sufficient against bad actors since they could use an image endpoint that only returns an animation after the crawler has checked the type of the image. But by proxying all images (something my extension also does) a filter could be implemented so it runs every time. Just to be clear my extension can't filter GIFs at this time but it's a feature I could add if there's interest.

Therefore the only solutions that could prevent bypass of external resources would be javascript based or server-side by proxying all images.

The implementation in Discord/other comes to mind, where the GIF playback stops when the window is inactive or the mouse pointer isn't over the file. But I'm really not sure it can be done with cross-origin images.

Maybe there's some fancy new HTML attribute I am not aware of that can tell the browser to disable image animations, this would make the "play/pause" client-side implementation much easier without canvas requirement.

maxmoon

clarkwinkelmann you could use some custom CSS to automatically blank out image tags with an URL that contains/ends with that

I may have found somthing but couldn't work out how I could use this to stop the animation from the beginning.

clarkwinkelmann If you only allow local uploads, you should be able to block the mime type altogether. This is already possible with FoF Upload.

The FoF Upload extension is pretty good, because I can control what people can upload, but with the markdown image tag people can still use any link they want or did I oversee something?

clarkwinkelmann My paid Rich Embeds extension already provides an option to parse images for meta data, which could be used for such an implementation.

Here is the link to your extension so others can find it.

For me the extension is a little bit too powerful, it loads more information from other sites. My goal would be to reach the opposite. Don't load external data.

clarkwinkelmann Therefore the only solutions that could prevent bypass of external resources would be javascript based or server-side by proxying all images.

This sounds like a really good very first Flarum extension project. As soon as I've completed to configure my new forum, I will start working on this extension, but I couldn't figure out good tutorials to create them. The official Flarum docs only shows a really small example and I am missing a lot of stuff there.

Thanks a lot for your help 🙂