New Feature: Upload Restrictions

Call admins now have the ability to restrict which types of files are allowed for uploads.

The new setting is in two places: the form builder and the Publishing Module. In both cases it is a safelist (as opposed to a blocklist) meaning authors are only allowed to upload files with extensions you specify. Or put another way, authors are prohibited from uploading files not in the list.

For example, if you are collecting speaker headshots and only want JPEGs, you would enter “jpeg jpg”. That way, only filenames ending with “.jpeg” or “.jpg” would be allowed.

Screenshots of new filetypes settingThe image to the right contains two screenshots. The one on top shows how the new setting looks in the form builders while the one on the bottom shows the setting in the Publishing Module.

Here are some other important details about the new feature:

  • The following file extensions are included by default whenever a file-upload field is added to a form or the Publishing Module is activated:
    • Compressed archives (.zip)
    • Images (.gif, .jpeg, .jpg, .png, .tif, .tiff)
    • PDFs (.pdf)
    • Powerpoint presentations (.ppt, .pptx)
    • Videos (.mov, .mp4, .wmv)
    • Word docs (.doc, .docx)

    Feel free to add or remove the default extensions to suit your needs.

  • Extensions may be entered any number of ways:
    • uppercase or lowercase (e.g. “JPEG” and “jpeg” are identical)
    • with or without commas (e.g. “jpeg, jpg” and “jpeg jpg” are identical)
    • with or without a dot (e.g. “.jpeg” and “jpeg” are identical)

    You can even mix and match! (e.g. “jpeg .jpg, gif, .PDF”)

  • Enter as many extensions as you like. There is no limit.
  • The feature is designed to catch any file with an extension that does not match its actual type. For example, if you only allow files ending in “.gif” and someone uploads a file named “upload.gif” that is actually a PDF, the system will reject the file.
  • It is only possible to safelist extensions. (Blocklists are not as secure.)
  • Leave the setting blank if you do not want to have any restrictions. It is extremely important to understand, however, that this is not recommended because it allows users to upload any type of file, including executables (.exe), which are extremely risky.
  • Lastly, consider limiting the list to common filetypes. Doing so might place a bit of an extra burden on authors but it will make life easier for reviewers. Take presentations for example. You could allow Powerpoint (.ppt and .pptx), Keynote (.key), Prezi (.exe), and Visme (.zip) files but this can cause two problems:
    1. Reviewers would need all of those applications to view files.
    2. A couple of the extensions (.exe and .zip) are not limited to presentation applications and would allow any executable or compressed archive to be uploaded.

    Instead, consider allowing only PDFs (.pdf), which can be generated from any of the above applications and can be viewed by reviewers in any web browser.

I hope you will find the new setting useful. If you have any feedback please do not hesitate to let me know. And if you have any tips for other call admins, please be sure to leave them in the comments below.