Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
prevent xhtml files from being uploaded in the assets manager
  • Loading branch information
aheinze committed Aug 14, 2023
1 parent 95977dd commit 34ab31e
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Expand Up @@ -2,7 +2,7 @@

## WIP

- Prevent uploading .phps + .html files in assets manager
- Prevent uploading .phps + .(x)html files in assets manager
- Require verification for updating user data
- Support post field projection after content population (via ..{fieldname})
- Extract width + height and colors from uploaded svg files
Expand Down
7 changes: 5 additions & 2 deletions modules/Assets/bootstrap.php
Expand Up @@ -68,8 +68,11 @@
$allowed = $allowed == '*' ? true : str_replace([' ', ','], ['', '|'], preg_quote(is_array($allowed) ? implode(',', $allowed) : $allowed));
$max_size = $this->app->retrieve('assets/max_upload_size', 0);

$forbiddenExtension = ['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'];
$forbiddenMime = ['application/x-httpd-php', 'text/html'];
$forbiddenExtension = ['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'xhtml', 'htaccess'];
$forbiddenMime = [
'application/x-httpd-php', 'application/x-php', 'text/x-php',
'text/html', 'application/xhtml+xml'
];

if (isset($files['name']) && is_array($files['name'])) {

Expand Down

0 comments on commit 34ab31e

Please sign in to comment.