I just saw a disturbing video about hackers embedding cross-site script in filenames and metadata of images and other uploaded files. 

 

What is Cutesoft's recommendation for input validation of uploaded files?  Is there a simple method (like htmlEncode) for scrubbing all metadata fields, or do we need to actually create the object on the server from the input stream and look at all of its metadata?

 

Also, since AjaxUploader uploads using Ajax (by definition), it's bypassing my page's authorization check.  Is there a way to modify the handler to require a particular credential or authentication cookie?

 

Thanks!

 

Aaron

Aaron,

 

Please check the following thread:

 

Hi Aaron,

 

 

If you want to add more security check for the file,

 

You can use the FileValidating event.

 

when the FileValidating fired , that means the file is just uploaded and prepair to fire the FileUploaded.

 

So you can check more thing there, by using the HttpContext or other controls (for example, the custom varify code)

 

When you don't want accept that file , you can throw an exception:

 

if(..)throw(new Exception("Your error message"));

 

the uploader would catch that error , and show it in client's page.

 

 

Regards , Terry