I just saw a disturbing video about hackers embedding cross-site script in filenames and metadata of images and other uploaded files. 

 

What is Cutesoft's recommendation for input validation of uploaded files?  Is there a simple method (like htmlEncode) for scrubbing all metadata fields, or do we need to actually create the object on the server from the input stream and look at all of its metadata?

 

Also, since AjaxUploader uploads using Ajax (by definition), it's bypassing my page's authorization check.  Is there a way to modify the handler to require a particular credential or authentication cookie?

 

Thanks!

 

Aaron