Is it safe to allow HTML uploads?

As far as I can see the uploaded HTMLs are just downloaded as normal files (e.g. archives or PDFs), so it’s up to the user and the browser settings (open automatically after download, …) whether to open them.

But this topic mentions something about XSS…

As I understand there is no way to interact with the Discourse page from the downloaded file?
So the worst it can do is show some kind of phishing content.

1 Like

It’s not a good idea in my opinion.


Could you please elaborate why? :thinking:

For exactly the same reason you wouldn’t want phishing links appearing on a community?

Discourse isn’t a DMS or file storage, why would you use it just to facilitate the download of HTML files, surely code is better housed somewhere like GitHub?


Sometimes it’s more convenient to just upload HTML showing some simple issue, etc., and if it’s just one file then putting it into a ZIP archive only creates unnecessary difficulties.

The forum is mainly for developers, so it should be safe to assume that they know what they are doing when opening the downloaded file and will recognize phishing attempts, will not enter any passwords there, quickly report it, etc.
So the only concern is whether it is possible to exploit any vulnerabilities, XSS, etc. when uploading HTML files (comparing to ZIP archives with HTML files).

As a personal preference, I prefer not to have to download any files at all. I’d rather just see the code in the post. So, my question is…

is there any reason the HTML is not added directly in the posts as a code block?

  <p>People have been catching fish for food since before recorded history…</p>

  <p>The first thing you’ll need is a fishing rod or pole that you find comfortable and is strong enough for the kind of fish you’re expecting to land…</p>

That way it’ll be visible right away, won’t require any files to be downloaded and won’t take up much space in the post - since we force scrollbars on code blocks beyond a certain height. Plus, there’s 0 security risks involved since it won’t be parsed at all.

I can expand on this if this solution works for you.


Yeah, I agree that usually it’s better to do it this way, but sometimes people still prefer to attach files, e.g. when it is too big, or when they want to show some kind of visual issue (easier than copy-pasting to a new file, etc.).