U4-9559 - Security: files of type xhtml should not be allowed to be uploaded to the media section

Created by Sebastiaan Janssen 22 Feb 2017, 10:08:26 Updated by Sebastiaan Janssen 22 Feb 2017, 10:15:10

Tags: Unscheduled

This poses an XSS risk when people upload files with javascript in it, it will execute on the frontend.

2 Attachments

Comments

Sebastiaan Janssen 22 Feb 2017, 10:12:50

Fixed in: https://github.com/umbraco/Umbraco-CMS/commit/76b696e3bf4cbff6ac372aa390ea32b6a64bff5e


Sebastiaan Janssen 22 Feb 2017, 10:13:50

xhtml files are rejected after that change


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.5.11

Sprint: Sprint 53

Story Points:

Cycle: