Explicitly disallowed file types?

supermathie · January 12, 2014, 8:38pm

In the Site Settings, the Discourse administrator can configure a list of allowed file types for uploaded files.

Which file types should be explicitly disallowed - such that we prevent (or at least pop up VERY SEVERE WARNINGS) administrators from even allowing them?

.htm, .html: to prevent XSS attacks

michaeld · January 12, 2014, 9:17pm

To prevent XSS: .js, .swf, .html, .htm

To prevent attacks on the server: .shtml, .php, .php3, .cgi, .pl, .py

Topic		Replies	Views
Additional filetypes for staff Support	4	674	April 26, 2020
Allowable File Types Feature	2	2045	September 20, 2016
Is it safe to allow HTML uploads? Support	8	1157	October 16, 2023
Is it safe to allow HTML uploads? (2023) Support	0	358	November 15, 2023
Supported file extensions Support	4	851	June 8, 2024

Explicitly disallowed file types?

Related Topics