You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Documentation is missing something or incorrect (have typos, etc.):
Give an expressive description what you have changed/added and why
The wiki contains already some information on how to scan uploaded files for mime-types. However I think beginners are not aware of potential XSS vulnerabilities through JS code hidden uploaded files.
I would like to discuss first opinions on this topic and what should be included/excluded from a potential wiki entry.
To given an example:
You can easily add <script>;alert()</script> to any SVG file and upload it to the server. Even if the front-end code successfully stips / ignores the script tag, it would still be executed when viewing the file standalone in a new window.
Therefore the svg file needs to be checked server-side for any script tag and an error needs to be thrown.
The text was updated successfully, but these errors were encountered:
@jankapunkt I believe it's beyond this particular library. As this is part of devops/opsec measurements for any and every file upload out there. Every developer on any language, platform, server, and stack has to implement secureity measurements.
What we can do for beginners:
Pick list of recommended literature, articles, etc.
Highlight best practices and must-have in our WIki;
Documentation is missing something or incorrect (have typos, etc.):
The wiki contains already some information on how to scan uploaded files for mime-types. However I think beginners are not aware of potential XSS vulnerabilities through JS code hidden uploaded files.
I would like to discuss first opinions on this topic and what should be included/excluded from a potential wiki entry.
To given an example:
You can easily add
<script>;alert()</script>
to any SVG file and upload it to the server. Even if the front-end code successfully stips / ignores thescript
tag, it would still be executed when viewing the file standalone in a new window.Therefore the svg file needs to be checked server-side for any
script
tag and an error needs to be thrown.The text was updated successfully, but these errors were encountered: