We have moved to GitHub Issues
You are viewing the read-only archive of Umbraco's issue tracker. To create new issues, please head over to GitHub Issues.
Make sure to read the blog posts announcing the move for more information.
U4-9559 - Security: files of type xhtml should not be allowed to be uploaded to the media section
Created by Sebastiaan Janssen 22 Feb 2017, 10:08:26 Updated by Sebastiaan Janssen 22 Feb 2017, 10:15:10
Tags: UnscheduledThis poses an XSS risk when people upload files with javascript in it, it will execute on the frontend.
2 Attachments
Comments
Sebastiaan Janssen 22 Feb 2017, 10:12:50Fixed in: https://github.com/umbraco/Umbraco-CMS/commit/76b696e3bf4cbff6ac372aa390ea32b6a64bff5e
Sebastiaan Janssen 22 Feb 2017, 10:13:50
xhtml files are rejected after that change
Priority: Normal
Type: Bug
State: Fixed
Assignee:
Difficulty: Normal
Category: Security
Backwards Compatible: True
Fix Submitted:
Affected versions:
Due in version: 7.5.11
Sprint: Sprint 53
Story Points:
Cycle: