Wiki entry for scanning files against XSS

[jankapunkt]

Documentation is missing something or incorrect (have typos, etc.):

• Give an expressive description what you have changed/added and why

The wiki contains already some information on how to scan uploaded files for mime-types. However I think beginners are not aware of potential XSS vulnerabilities through JS code hidden uploaded files.

I would like to discuss first opinions on this topic and what should be included/excluded from a potential wiki entry.

To given an example:

You can easily add <script>;alert()</script> to any SVG file and upload it to the server. Even if the front-end code successfully stips / ignores the script tag, it would still be executed when viewing the file standalone in a new window.

Therefore the svg file needs to be checked server-side for any script tag and an error needs to be thrown.

[dr-dimitru]

@jankapunkt I believe it's beyond this particular library. As this is part of devops/opsec measurements for any and every file upload out there. Every developer on any language, platform, server, and stack has to implement security measurements.

What we can do for beginners:

1. Pick list of recommended literature, articles, etc.
2. Highlight best practices and must-have in our WIki;

Let me know wdyt

[harryadel]

Thanks for highlighting this @jankapunkt I also thought of it and what the best practices are.
What about these links for literature? @dr-dimitru

• https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
• https://stackoverflow.com/questions/26836243/manage-security-on-file-upload-to-nodejs

[jankapunkt]

Hey @harryadel I would definitely cite these sources when creating a wiki entry. I will create a new entry when there is time the next week.