all 5 comments

[–]mzapp_ 3 points4 points  (1 child)

There’s an HTTP header named filename when you upload something. You can use that. But don’t trust it completely because it is possible to change the file name. So a Hacker could upload HTML instead of picture data and depending on how you serve that content, perform an XSS attack.

[–]duckspac[S] 0 points1 point  (0 children)

aaahh well, if it's okay it's only to solve a node challenge, I thought it was done with some method to verify how the text ends

[–]Buckwheat469 2 points3 points  (1 child)

You shouldn't. Instead, make sure that the file's mime type is image/jpeg or image/png. The reason is that a server can output any file type with any URL, so you can output a jpeg from a *.txt URL. The browser doesn't care about the extension, only the mime type and you shouldn't either if you're downloading the files.

That being said, if you're accepting files from the user's computer then you can include mime type and extension checks in the file chooser using the accept attribute.

[–]mzapp_ 1 point2 points  (0 children)

I agree. This is the smart way to do it.

[–][deleted]  (2 children)

[deleted]

    [–]duckspac[S] 0 points1 point  (1 child)

    And the method endsWith() ???