Content Hub Tip #19: Filter out allowed extensions for upload

 

The safety of a platform is everyone's obligation. The best thing is to start as an administrator is by allowing a limited set of file types. This can easily be managed via configuration. In this blog post we will show you how to do it.

So let's start moving. You first need to navigate to a page with a Creation component. For this example, I'm using the Create page below Home. Open up the Creation component by clicking on it. Then click on Upload files. This will open up the configuration of uploading new files.

The first thing you might notice is that by default, Sitecore has already configured the Allowed extensions option. They have chosen the path of least resistance and used a deny list, rather than a allow list. The risk with a deny list, you need to keep adding more filetypes that could be a risk in the future. As with an allow list, you only allow the file extensions that you want. It's a way safer approach than the deny list.

To change the configuration to an allow list, change the All except value to Only. Next, remove all the extensions that we don't want, then add the extensions that you want users to be able to upload. It should look similar to this.

Remark: The allowed extensions property expects file extensions to be added without an asterisk and without a dot. So please add the extensions like this: png jpg tiff svg. Otherwise, your users will not able to upload files with that extension.

For more information about the Creation component, be sure to check out the documentation.

Until next time!