Hi,
If you use this way , you must collect all kinds of the file types which can be executed on your server.
if you miss one , your server will be hacked.
-
<%@ Page Language="C#" Title="First sample" %>
-
<%@ Import Namespace="CuteWebUI" %>
-
<%@ Register TagPrefix="CuteWebUI" Namespace="CuteWebUI" Assembly="CuteWebUI.AjaxUploader" %>
-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
-
-
<script runat="server">
-
-
string disabledExtList = "aspx,asp,ashx,html,htm,mht,exe,dll,php,jsp";
-
-
void InsertMsg(string msg)
-
{
-
ListBoxEvents.Items.Insert(0, msg);
-
ListBoxEvents.SelectedIndex = 0;
-
}
-
protected void UploadAttachments1_AttachmentAdded(object sender, AttachmentItemEventArgs args)
-
{
-
InsertMsg("Added.." + args.Item.FileName);
-
}
-
-
protected void UploadAttachments1_FileValidating(object sender, UploaderEventArgs args)
-
{
-
//validate the extensions , this is very important!
-
//the client side validation is not safe , double check it here:
-
string ext=Path.GetExtension(args.FileName).TrimStart('.').ToLower();
-
ext = "," + ext + ",";
-
string list="," + disabledExtList.ToLower() + ",";
-
if (list.IndexOf(ext) != -1)
-
{
-
throw (new Exception("Invalid file type!"));
-
}
-
}
-
</script>
-
-
<html xmlns="http://www.w3.org/1999/xhtml">
-
<head id="Head1" runat="server">
-
</head>
-
<body>
-
<form id="Form1" runat="server">
-
<script src="../PageUpload/TempSource.js"></script>
-
<CuteWebUI:UploadAttachments runat="server" ID="UploadAttachments1" OnAttachmentAdded="UploadAttachments1_AttachmentAdded" OnFileValidating="UploadAttachments1_FileValidating">
-
</CuteWebUI:UploadAttachments>
-
<br />
-
<div>
-
Server Trace:
-
<br />
-
<asp:ListBox runat="server" ID="ListBoxEvents" Width="800"></asp:ListBox>
-
</div>
-
</form>
-
<script type="text/javascript">
-
var disabledExtList='<%=disabledExtList %>'
-
</script>
-
<script type="text/javascript">
-
//validate the extensions in client side
-
//this way is not safe , just for performance
-
//try to disable it to test the server validation
-
var useclientvalidation=true;
-
function CuteWebUI_AjaxUploader_OnSelect(files)
-
{
-
if(useclientvalidation)
-
{
-
var list=","+disabledExtList+",";
-
for(var i=0;i<files.length;i++)
-
{
-
var item=files[i];
-
var size=item.FileSize;
-
var fps=item.FileName.split('.');
-
var ext=fps[fps.length-1].toLowerCase();
-
ext=","+ext+",";
-
if(list.indexOf(ext)!=-1)
-
{
-
item.Cancel();
-
alert("Javascript : Invalid file type : "+ext);
-
}
-
}
-
}
-
}
-
</script>
-
-
</body>
-
</html>
Regards,
Terry