Mosaic allows files to be uploaded via the Documents screen, Steps and APIs. These files can be downloaded later. On upload file types are validated to ensure the file extension is found in the system property allowedFileExtensions.
This system property was introduced in release 20.1.2.0 and contains a comma separated list of permitted extensions. The allowedFileExtensions should have been reviewed as part of the upgrade, as per the release notes, so may also have been modified to meet local requirements.
β
You should be aware that certain file types such as .html or .htm can include embedded scripts. These scripts may be executed when the file is downloaded again and opened in an application.
In the case of a .html file when downloaded and double clicked by the worker the embedded JavaScript, which could be malicious, may execute in a browser and could create a cross site scripting (XSS) vulnerability.
β
.html and .htm have been removed from the default allowedFileExtensions for 23.1.0.0. However, most customers will already have this system property, and you will need to edit it if you wish to remove these extensions.
β
As previously advised, you should ensure that the list of permitted file extensions is reviewed against your internal security policies and the allowedFileExtensions property is updated.