-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wiki entry for scanning files against XSS #753
Comments
@jankapunkt I believe it's beyond this particular library. As this is part of devops/opsec measurements for any and every file upload out there. Every developer on any language, platform, server, and stack has to implement security measurements. What we can do for beginners:
Let me know wdyt |
Thanks for highlighting this @jankapunkt I also thought of it and what the best practices are. |
Hey @harryadel I would definitely cite these sources when creating a wiki entry. I will create a new entry when there is time the next week. |
Documentation is missing something or incorrect (have typos, etc.):
The wiki contains already some information on how to scan uploaded files for mime-types. However I think beginners are not aware of potential XSS vulnerabilities through JS code hidden uploaded files.
I would like to discuss first opinions on this topic and what should be included/excluded from a potential wiki entry.
To given an example:
You can easily add
<script>;alert()</script>
to any SVG file and upload it to the server. Even if the front-end code successfully stips / ignores thescript
tag, it would still be executed when viewing the file standalone in a new window.Therefore the svg file needs to be checked server-side for any
script
tag and an error needs to be thrown.The text was updated successfully, but these errors were encountered: