Explicitly disallowed file types?

supermathie · January 12, 2014, 8:38pm

In the Site Settings, the Discourse administrator can configure a list of allowed file types for uploaded files.

Which file types should be explicitly disallowed - such that we prevent (or at least pop up VERY SEVERE WARNINGS) administrators from even allowing them?

.htm, .html: to prevent XSS attacks

michaeld · January 12, 2014, 9:17pm

To prevent XSS: .js, .swf, .html, .htm

To prevent attacks on the server: .shtml, .php, .php3, .cgi, .pl, .py

Topic		Replies	Views
Additional filetypes for staff support	4	621	April 26, 2020
Allowable File Types feature	2	1972	September 20, 2016
Is it safe to allow HTML uploads? support	8	1028	October 16, 2023
Is it safe to allow HTML uploads? (2023) support	0	268	November 15, 2023
Supported file extensions support	3	789	October 24, 2017

Explicitly disallowed file types?

Related Topics