On tinymce v5.10, I want to allow the upload on .svg type of image and am not able to do it. I wanted to know if there is a possibility to allow .svg file to be uploaded through drag and drop or upload dialog.
SVG uploads are not supported by default because they are a security risk. A user could insert malicious code into an SVG and upload it to your server. However, it is possible to allow them if you use image_file_types in your tinymce.init:
tinymce.init({
// ...
images_file_types: 'svg,jpeg,jpg,jpe,jfi,jif,jfif,png,gif,bmp,webp'
});
Use at your own risk, and SVGs should be sanitized on the server-side to avoid XSS attacks.
image_file_types docs: https://www.tiny.cloud/docs/configure/file-image-upload/#images_file_types
Related
I'm building an app which allows users to upload their images to IPFS and the image will be loaded using an <img> tag, the file type checking is done only in the frontend.
However, I'm also aware of the File Upload Vulnerability in normal centralized servers. So here's my question, would hackers be able to explore this?
The following is a JavaScript file I tried to bypass frontend checking and upload to IPFS, however, when I try to access its URL it returns the file in text instead of executing it. As a sophisticated hacker, would he/she be able to upload a malicious file somehow and cause damage on my site or my users?
https://cloudflare-ipfs.com/ipfs/bafybeigynjetni7b2z52qqv75u5c6k3fgrowqdp6a4qtcbfd4rq7nnj3pu/
All data on ipfs in the public node is Public. If you want to secure files you need to encrypt them. https://docs.ipfs.tech/concepts/privacy-and-encryption/
I'm using Jodit 3.18.9 with
ace 1.4.12
js-beautify 1.13.0
with uploader configs allowing to upload images separately from text into DB.
Once the image is uploaded, we use .insertImage(xxx) to add images into jodit editor. In this case, if we want to protect uploaded files, we may need to generate and attach a temp token to the url.
My question is, without doing some custom implementations (such as doing http requests for each image to get contents, and replace links with their base64 contents), is there some 'official' supports to do a get (image) query with jwt token or not ?
thanks a lot
I have a web application where user can upload and view files. The user has a link next to the file (s)he has uploaded. Clicking on the link will open the file in the browser (if possible) or show the download dialog (of the browser). Meaning that, if the user upload an html/pdf/txt file it will be rendered in the browser but if it is a word document, it will be downloaded.
It is identified that rendering the HTML file in the browser could be a vulnerability - Cross Site Scripting.
What is the right solution to this problem? The two options I am currently looking at are:
to put Content-Disposition header in the response to make HTML files downloaded instead viewed in the browser.
to find some html scrubbing/sanitizing library to remove any javascript from the file before I serve it.
Looking at the gmail, they do the second approach (of scrubbing) with having a separate domain for the file download - may be to minimize/distract the attack surface. However in this approach the receiver gets a different file than what was sent. Which is not 'right' in my opinion; may be I am biased. In my case, the first one is easy to fix. But I wonder if that is enough, or is there any thing that I overlook!
What are your thoughts on these approaches? Or do you have any other suggestions?
Based on your description, I can see 3 posible attack types (maybe there are more):
Client side code execution
As you said, your web server may serve a file as HTML and run javascript code on the client. This can be avoided with Content-Disposition but I would go with MIME types control through Content-Type. I would define my known type of files (e.g. pdf, jpeg etc.) and serve them with their respective MIME type (e.g. application/pdf, image/jpeg etc.). Anything else I would serve it as application/octet-stream.
Server side code execution
Althougth I see this as an out of topic attack (since it involves other parts of your application and your server) be sure to avoid executing files on the server (e.g. PHP code through LFI). Your webserver should not access directly the files (e.g. again PHP), better store them somethere not accesible through a URL and retrive them on request.
Think if here you are able to reject files (e.g. reject .exe uploads) and ask the user to zip them first.
Trust issues
Since the files are under the same domain, the files will be accesible from javascript (ajax or load as script) and other programs (or people) may trust your links. This is also related to the previous point, if you don't need unzipped exe files, don't allow them. Using an other domain may mitigate some trust problems.
Other ideas:
Zip all files uploaded
Scan each file with antivirus software
PS: For me sanitization would not work in your case. The risk of missing something is too high.
Is anyone familiar with DNN 9 platform here? If so could someone direct me how to upload an svg file to the server. In older version of DNN(8,7 etc) there was a setting in the Host List settings where you could enable the file type, however in DNN these pages have been removed from the user interface.
The following command has been run in SSMS:
INSERT INTO Lists (ListName, Value, Text, DefinitionID, SystemList)
VALUES ('ImageTypes', 'svg', 'Scalable Vector Graphics', '-1', 'True');
This created a new line in the database, however when I try to upload a svg file it still show wrong format (The Allowed Filetypes are: "bmp,gif,jpeg,jpg,png").
Can someone direct me perhaps where can the svg file type be enabled?
Many thanks!
The option to add file types is still there. It has been moved and has a different name. Go to:
Settings > Security > More
There is a tab there called More Security settings. There you will find the Allowable File Extensions
Some DNN sites allow users to upload certain files to their sites. A malicious can upload an SVG file which can contain some malicious code to steal some users’ sensitive data (cookies, etc.)
I would like to modify my extension's popup dynamically (at run-time). And want to specify a custom popup HTML file that's loaded from my server.
In Firefox, I can easily accomplish this with XUL overlays which I can specify at run-time.
And document.loadOverlay() does allow me to specify a 'remote' URL for the overlay.
Is the same possible in Chrome?
I've been playing with chrome.browserAction.setPopup( details ) API, but it seems that the details.popup param must specify a local file, and not a remote URL.
I have answered this exact same question on the Chromium-Extensions mailinglist.
There is no API to load external popups but you can do that with plain JavaScript. What you could do (I have done that in the past):
Use an iframe + extension messaging within the popup. The iframe
points to some external url not hosted in the extension.
Use templates (jQuery templates example), load those template files to
your background page, and just use them to construct your popup.
Download the html contents using XHR and load them within the popup
by constructing the DOM.
I usually use the template approach, but I use the popup iframe approach when I want to manage the entire popup in the server side so I don't have to push updates to the extension gallery. I am not a fan of downloading the HTML contents, templating seems safer.
Hope this helped!