To enhance Sitefinity's ImageEditorDialog dialog security, there are new properties added to this control since Sitefinity 3.7 SP2:
AllowedFileExtensions – specifies the file extensions which are allowed for uploading by authenticated users. Default value (when you do not specify this property) – all file types!
AllowedFileExtensionsForAnonymousUsers – specifies the file extensions which are allowed for uploading by anonymous users (for example, when anonymous users write in the Forums module on a public page). Default value (when you do not specify this property) – no file types!
To set these properties,
1.Open:
~/your_website/Sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx (for ImageEditorDialog)
or
~/your_website/Sitefinity/UserControls/Dialogs/DocumentEditorDialog.aspx (for DocumentEditorDialog),
2. Modify the ImageEditorDialog control or DocumentEditorDialog.aspx by adding the AllowedFileExtensions property. For a property value enter the file extensions you want to allow, starting with a dot and separated by a comma.
Sample code
| <lib:ImageEditorDialog runat="server" DisplayMode="Images" AllowedFileExtensions=".jpg, .jpeg, .png" AllowedFileExtensionsForAnonymousUsers=".jpg"/> |
With this code, you specify that authenticated users could upload only three file types using the image dialog, and that anonymous users could only upload one file type.
Important note: when you do not set the AllowedFileExtensions property, you allow all file types for authenticated users. However, when you do not set the AllowedFileExtensionsForAnonymousUsers property, you forbid anonymous users to upload any file type.