Asger
Asger
PostsComments
TTCTheo's Typesafe Cult
Created by Asger on 5/16/2024 in #questions
Security: How to genuinely not allow HTML?
How do you guys do it? I can create a FileRouter and not include blob or text as file types 
const f = createUploadthing();

export const ourFileRouter = {
  fileUploader: f({
    image: stdConfig,
    video: stdConfig,
    audio: stdConfig,
    pdf: stdConfig,
  })
  ...
}
const f = createUploadthing();

export const ourFileRouter = {
  fileUploader: f({
    image: stdConfig,
    video: stdConfig,
    audio: stdConfig,
    pdf: stdConfig,
  })
  ...
}
And now when I use the UploadDropzone or UploadButton component, I cannot select files with the file extension .html. Partial success! I can still upload HTML files though, as long as I disguise them as PDFs or something else that I allow. This file is fine, according to UploadThing: 
$ cat html_file.pdf 
<html><body><script>alert('You have been hacked')</script></body></html>
$ file html_file.pdf 
html_file.pdf: HTML document, ASCII text
$ cat html_file.pdf 
<html><body><script>alert('You have been hacked')</script></body></html>
$ file html_file.pdf 
html_file.pdf: HTML document, ASCII text
So my question is what do you guys do? Do you read and sanitize files? That's a lot of computation. Maybe you can use something like the Unix file command? Looking for ideas here 🙂 Best regards, Asger
3 replies