Stop allowing .htm + .html by default

craftcms · Jan 23, 2021 · 8ee85a8 · 8ee85a8
1 parent c93347a
commit 8ee85a8
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG-v3.6.md b/CHANGELOG-v3.6.md
@@ -219,3 +219,6 @@
 - Fixed a bug where generated URLs would include the token from the current request, even if it had expired or met its usage limit.
 - Fixed a bug where Number field settings and input values could be stored incorrectly if the user’s formatting locale used a different decimal character that the application language.
 - Fixed a MySQL deadlock error that could occur when running background jobs. ([#7179](https://github.com/craftcms/cms/issues/7179))
+
+### Security
+- The default `allowedFileExtensions` config setting value no longer includes `htm` or `html`.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,9 @@
 ### Fixed
 - Fixed a bug where D3-formatted numbers were getting extra `.00`s added to them if the Intl extension wasn’t installed. ([#7402](https://github.com/craftcms/cms/issues/7402))
 
+### Security
+- The default `allowedFileExtensions` config setting value no longer includes `htm` or `html`.
+
 ## 3.6.0-RC4 - 2020-01-19
 
 ### Added

diff --git a/src/config/GeneralConfig.php b/src/config/GeneralConfig.php
@@ -133,8 +133,6 @@ class GeneralConfig extends BaseObject
         'gif',
         'gz',
         'gzip',
-        'htm',
-        'html',
         'itt',
         'jp2',
         'jpeg',