Skip to content

Wiki entry for scanning files against XSS #753

Description

@jankapunkt

Documentation is missing something or incorrect (have typos, etc.):

  • Give an expressive description what you have changed/added and why

The wiki contains already some information on how to scan uploaded files for mime-types. However I think beginners are not aware of potential XSS vulnerabilities through JS code hidden uploaded files.

I would like to discuss first opinions on this topic and what should be included/excluded from a potential wiki entry.

To given an example:

You can easily add <script>;alert()</script> to any SVG file and upload it to the server. Even if the front-end code successfully stips / ignores the script tag, it would still be executed when viewing the file standalone in a new window.

Therefore the svg file needs to be checked server-side for any script tag and an error needs to be thrown.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions