It was done for security. You could do something like:
or do the same for deleting.
Hi, I noticed there is a thread on this topic in the Support forum as well, but A) that forum moves so fast I'm afraid my post would get lost in the fold, and B) this is not a request for support, but a request for more information about changes made to phpBB
So hopefully posting in this forum is appropriate.
Can anybody verify with the development team what the security risk of non image extensions is? Because the code is not going into <a href=""></a> tags, it is going into <img> tags. Whatever sort of cross-site thingy you try to inject, the browser would be trying to interpret as binary data representing a known image format.
I don't understand how non-image extensions can conceivably introduce a security risk?
As txuspe showed, you can still link to non-image files just by fooling the reg-exp, so I don't see what this change is accomplishing except for breaking thousands of people's signature and avatar graphics.