davgothic / ajaxfileupload Goto Github PK

in Google Chrome 61.0.3163.100, server use tomcat

here I upload a file and server return a jsonstring like this
{"error":"","hasError":false,"results":0,"rows":[]}

and in your code
response = doc.body.innerHTML;

response will be like this
<pre style="word-wrap: break-word; white-space: pre-wrap;">{"error":"","hasError":false,"results":0,"rows":[]}</pre>

and next $.parseJSON cant parse it and get the error:
Unexpected token < in JSON at position 0

and I fixed it with :
try{
response = $.parseJSON(response);
} catch (e) {
var preIndex = response.indexOf('{')
var lastIndex = response.indexOf('}') + 1
response = $.parseJSON(response.substring(preIndex, lastIndex));
}

Hi! Your plugin, while being good from usability perspective, unfortunately lacks any input validation making it vulnerable to cross site request forgery, arbitrary file upload and, further on, remote code execution vulnerabilities.

Imagine your script being a part of some bigger application. Knowing the url to your script (upload.php) the attacker can upload any file of any contents to the server remotely. It can be, for example, a PHP file that deletes all files from the webserver, or send the sources of all PHP files to the attacker, or appends some malicious javascript to every .html found. Or a PHP shell - http://www.youtube.com/results?search_query=c99+shell&aq=f . The possibilities are limitless.

There should be a default configuration allowing only permitted whitelist of file extensions to accept, defaulting .e.g to jpeg, gif, png only. No js, no php, no html, no .htaccess for example. See here : http://hungred.com/useful-information/secure-file-upload-check-list-php/ on how to implement this.

Additionally, you should use basename() on $_FILES['']['name'] because in PHP 5.3.6 and older, an attacker could overwrite files rom the root of filesystem - see here http://blog.kotowicz.net/2011/06/file-path-injection-in-php-536-file.html

SecurityError: Permission denied to access property "document" on cross-origin object

I think this plug-in has several potential security problems:

The file type and size are not verified, so malicious files or oversized files may be allowed to upload, resulting in server resource consumption or malicious file tampering.

Failure to verify and filter the file name may cause malicious code in the file name or cause the file on the server to be overwritten or deleted.

The uploaded file is not encrypted or compressed, so it may leak the file content or make the file content easy to crack.

how can I validate the file size before ajax upload the file?

In fact, the plugin depends on iframe rather than ajax，which perplexs me alot.

SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data

$("#uploads").append(
$("").attr("src", filename).attr("width", 200)
);

this code is not working

I want the file upload percentage

Does not fire success in just safari on mac, using safari 6.1.. works on every other browser.. this is my code

$.ajaxFileUpload({
        type: "POST",
        url: baseurl + "upload/img_upload",
        fileElementId: "attachFile",
        dataType: "json",
        data: $("#account_upload").serialize(),
        success: function (json) {

        },
        error: function (data, errorThrown) {

        }
    });

when i use ajaxFileUpload in IE11,it enter in success callback function,but the data(it is the params) is "false",thus i ask my friend for helping,when he use it in IE11(his computer),he got it working normally,what's wrong?

I run the demo，but got an error

Blocked a frame with origin "null" from accessing a cross-origin frame. at HTMLIFrameElement.onComplet

i'm not sure this plug-in can be sued in my project ,my environment is jQuery 2.1.3.

It's not working in microsoft edge. Also, sometimes create issues in chrome, safari. Please, help regarding this how I can make it's AJAX request compatible with all browsers. Thanks

The source is missing a 'return true' statement after line 72.

when i update chrome version to be ‘83.0.4103.61’，it do not work.
please check it ,thanks