Explicitly disallowed file types?


(Michael Brown) #1

In the Site Settings, the Discourse administrator can configure a list of allowed file types for uploaded files.

Which file types should be explicitly disallowed - such that we prevent (or at least pop up VERY SEVERE WARNINGS) administrators from even allowing them?

  • .htm, .html: to prevent XSS attacks

(Michael - DiscourseHosting.com) #2

To prevent XSS: .js, .swf, .html, .htm

To prevent attacks on the server: .shtml, .php, .php3, .cgi, .pl, .py