EE Insider Tips
Sponsored by Mijingo's EE 2 Screencasts
ExpressionEngine mini-howtos created by the EE Insider community.
The filetype you are attempting to upload has invalid content for its MIME type
- Posted by johnniefp
- April 28, 2010
- 2 people have found this tip helpful.
Well this one is different to the Freeform upload issue I added a week or so ago.
When a user uploads content EE attempts to filter that content against XSS - (Cross Site Scripting, a technique the bad guys use to compromise your site)
A logged in Super Admin automatically is trusted by EE and bypasses XSS filtering but your users get filtered. This lead to a situation where I could upload (as Super Admin) but other site members could not without seeing the error, ‘The filetype you are attempting to upload has invalid content for its MIME type’.
You can turn XSS filtering off completely…but that’s bad! you shouldn’t do that. The solutions is a Hidden Configuration Variable!
Get the ID’s of your trusted member groups you want to bypass XSS filtering and note them down.
Then open your config.php file and add the following:
$conf[‘xss_clean_member_group_exception’] = “7,6”;
The above is a comma separated list of XSS member group exceptions, just add your trusted groups (in my case 7,6) and away you go.
jfp.
Email
Print
Post to Twitter
Post to Delicious
ChiefAlchemist — 12:02 on 07.13.2010
Thanks. I hate it when this happens
Question: As and added level of “security”, is there a way to do this for individual users? Or is it necessary to dupe a member group and then “grant” one group upload bypass access, and the other not?
johnniefp — 12:07 on 07.13.2010
Hello,
I’m under the impression that the XSS setting cannot be set on a per member basis. Sure I read that somewhere - difficult to google it to confirm while the forums are in flux.
Wes Baker — 06:24 on 07.19.2010
Actually, I think you can turn off XSS for individual users by using the $conf[‘xss_clean_member_exception’] config variable. Use it in the same way by separating multiple member ids with a comma (e.g. “3,4,6,10”).
johnniefp — 08:12 on 07.19.2010
Thanks for the update Wes, I don’t remember ever seeing that one.
Add Your Comment?
You must have an EE Insider account to post comments on Insider Tips. It's fast, easy and hassle-free.
Sign up now (or login).