I am using CKFinder (v2.1) to manage an image library and I am adding support for SVG images now. After editing the config file everything worked fine for the first few test files. Now I'm occasionally getting this error message, "Upload cancelled due to security reasons. The file contains HTML-like data." It's only on some SVG files, not all. I looked through the source of a file that worked trying to compare against the source of files that fail and have not been able to find anything that might cause a problem. SO and Google searches haven't really turned up anything helpful. Just wondering if anyone else has run across this and if so, how did you resolve it?
Asked
Active
Viewed 1,527 times
2
-
Is there a reason why you are using CKFinder 2.1? This version was released 5 years ago, there were plenty of new features and bug fixes (including security patches) released during this time. For applications that are installed on your web server and allow users access to upload functionality it is really important to upgrade regularly... – Anna Tomanek Mar 15 '16 at 13:18
-
Completely agree, @Anna Tomanek. This is a legacy app on a protected intranet, so the upgrade path for this is a little more relaxed than normal. It will be upgraded at some point. – user3374407 Mar 15 '16 at 19:23
-
Great to hear that - check out the [demo of the most recent CKFinder 3.3](https://cksource.com/ckfinder/demo) - it's so much better than the previous version! Hope this will give you an additional incentive to upgrade, apart from the obvious security aspect! :) – Anna Tomanek Mar 16 '16 at 09:30
1 Answers
3
SVG is a XML-based file format with optional compression. In an uncompressed case it may contain some tags that are common with HTML. By default CKFinder rejects files that contain HTML code in the first 1024 bytes and are not white-listed in the configuration.
To solve your issue add SVG extension to allowed HTML extensions in your configuration file (ASP.NET connector):
HtmlExtensions = new string[] { "html", "htm", "xml", "js", "svg" };
For the PHP connector the configuration option may look like this:
$config['HtmlExtensions'] = array('html', 'htm', 'xml', 'js', 'svg');
In case you are using some other connector you may find how to add SVG extension to allowed HTML extensions in the documentation.
kfazi
- 617
- 1
- 9
- 21
-
thanks @kfazi, that did the trick. what threw me was the randomness of some files working and some not. – user3374407 Mar 15 '16 at 19:17