- Issue created by @kim.pepper
- π¬π§United Kingdom alexpott πͺπΊπ
I don't think we should simplify it at all. I think we need to make it harder. Ideally only with the contrib module "Bad judgement" installed. At the very least we should prevent it from working in core unless the setting allow_insecure_uploads is set to true. Because if you set it to any empty string you are allowing insecure uploads... yes by default nothing from the \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSIONS list but still everything else... like I'm pretty sure I could exploit being able to upload an htm file and having inline JS. If I can trick a logged in user to visit that URL... profit.
